|C H A P T E R 2|
The SGD administration tools, Object Manager, Array Manager, Configuration Wizard, and Session Manager have been replaced by the SGD Administration Console. The SGD Administration Console is a web application. The Administration Console can be used by SGD Administrators to configure SGD.
Wherever possible, run the Administration Console on the primary server in the SGD array. Some operations, for example, creating new objects or editing object attributes, are best done on the primary server. If you perform these operations on a secondary server and the primary server is not running, your changes are not implemented.
Note - The SGD distribution includes a web archive (WAR) file for the Administration Console, sgdadmin.war. Using this file to deploy the Administration Console on another web application server is not supported.
|SGD Version 4.31||Administration Console|
|array member||SGD server|
|emulator session||application session|
|Enterprise Naming Scheme (ENS)||local repository|
|ENS equivalent name||user profile|
|Fully Qualified Name||user identity|
|intelligent array routing||load balancing group|
|login authority||system authentication|
|login profile||user profile|
|person object||user profile object|
|Tarantella Federated Naming (TFN)||Not used|
|webtop session||user session|
To be able to use the Desktop Direct URL, the user must be assigned an application object called My Desktop (cn=My Desktop). This object is created automatically when SGD is installed. By default, the object is configured to run the default desktop application available on the SGD server, for example, the Sun Java Desktop System. You can reconfigure this object to run any application you want, but it works best with full-screen desktop applications. If users require different desktop applications, you can create additional My Desktop objects as required. However, users must be assigned only one My Desktop application.
The Desktop Direct URL is http://server.example.com/sgd/mydesktop, where server.example.com is the name of an SGD server. This URL displays the SGD Login page. Once the user has logged in, the desktop session displays and the web browser can be closed.
Users with Microsoft Windows client devices can have roaming user profiles. Roaming user profiles provide the user with the same working environment, no matter which Microsoft Windows computer they use. If Microsoft Windows users have roaming user profiles, the SGD client profile is automatically adjusted to allow for this, as follows:
|Client Profile Setting||Roaming Profile Entry|
|Add Applications to Start Menu||<mode>|
|Automatic Client Login||<autologin>|
|Connect on System Login||<autostart>|
|Connection Failure||<reconnect mode>|
$ tarantella config edit \ ‐‐tarantella-config-array-webtopsessionidletimeout secs
$ tarantella config edit \ ‐‐tarantella-config-array-webtopsessionidletimeout 1800
$ tarantella config edit ‐‐server-dns-external \ "192.168.55.0/24:boston.indigo-insurance.com"
Using this attribute, keyboard shortcuts that deal with window management can either be sent to the remote session or acted on locally. This setting is only effective for applications having a Window Type setting of Kiosk mode.
By default, the Windows key is now enabled in SGD Windows Terminal Services sessions. The default setting for the SGD Terminal Services Client (ttatsc) -windowskey option is on. You can change this option using the Arguments for Protocol (--protoargs) attribute on the Windows application object.
If an SGD server has multiple DNS names, for example, it is known by different names inside and outside a firewall, you can specify the additional DNS names as subject alternative names when generating a Certificate Signing Request (CSR). This enables you to associate more than one DNS name with a server certificate.
The attribute enables you to specify a file that contains mappings between UNIX client device and Microsoft Windows application server time zone names. The attribute applies to all SGD servers in the array.
Session Directory can be used instead of SGD to handle session resumability for Windows applications. Session Directory is a database that keeps track of which users are running which sessions on which Windows application server.
See Session Directory for Windows Terminal Services for more details about using Session Directory with SGD.
The X application must output sound using the Open Sound System (OSS). If your system uses the Advanced Linux Sound Architecture (ALSA), you might have to enable the ALSA OSS emulation modules in the kernel.
Some X applications are hard-coded to use the /dev/audio or /dev/dsp devices for audio output. A new attribute for X application objects, Audio Redirection Library (--unixaudiopreload), enables an SGD audio redirection library to force the X application to use the SGD audio device.
Microsoft Windows Vista includes the Remote Desktop feature that enables you to access a computer using the Remote Desktop Protocol. You can now use SGD and Remote Desktop, for example, to give users to access their office PC when they are out of the office. Only full Windows desktop sessions are supported.
Integrated mode - The webtop content (the links for starting applications) displays in the desktop Start or Launch menu so that users can run remote applications in the same way as local applications. Depending on how you configure Start or Launch menu integration, you might not need to use a web browser.
Working in Integrated mode simplifies session management. Unlike the webtop, it has no controls for suspending and resuming applications. Instead, when you log out, the Client automatically suspends or ends all running application sessions. When you log in again, the Client automatically resumes all suspended sessions.
If you need to display a webtop, for example to resume a suspended application or manage printing, you click the Webtop link on the Start or Launch menu. The webtop displays in your default web browser.
If you configure the webtop content to display in groups, those groups are also used in the Start or Launch menu. If the group is configured to hide webtop content, the content does not display in the Start or Launch menu.
For details of the desktop systems that can be used with Integrated mode, see Client Requirements.
You can now configure the SGD Client to start automatically when a user logs in to their client device. The SGD Client can also cache an authentication token that enables a user to start a user session automatically without having to log in manually. When the SGD Client is configured in this way, users experience the benefits of a single sign-on.
Automatic login is achieved using authentication token authentication. If the SGD Client presents a valid authentication token, the user is authenticated automatically to SGD. To obtain an authentication token, users must perform an initial log in using a web browser and then manually generate the authentication token by editing their client profile. A separate token is needed for each SGD server the user connects to.
The desktop Start or Launch menu and single sign-on features mean that the SGD Client requires some configuration to connect to SGD. Not only that, different configurations might be needed in different situations, for example because the user is in the office or working at home. To be able to manage multiple Client configurations, version 4.3 introduces client profiles as the method for storing a group of SGD Client settings. Each client profile enables you to configure the following:
SGD Administrators have full control over client profiles. On an Administrator's webtop there is a new administration tool, Profile Editor. With the Profile Editor, Administrators can create and edit client profiles for organization, organizational unit (OU) objects, and for profile objects in the Tarantella System Objects organization. By defining client profiles for these objects, Administrators can deploy common default SGD Client configurations to users.
Administrators can control whether users can create and edit their own client profiles. User profile editing can be enabled globally, for an organization, for an OU, or for individual users. By default, user profile editing is enabled. Users create and edit profiles from the Edit button on their webtop.
When connecting to SGD from different locations, the SGD Client often needs different client proxy server settings. Ensuring that users have the correct proxy settings can also be difficult to administer. Version 4.3 introduces mobile proxy server configuration. With mobile proxy server configuration, the SGD Client uses the settings in the client profile to determine the proxy server settings. The proxy server settings can be specified as follows:
If the SGD Client is running in Integrated mode and configured to use the web browser settings, the SGD Client obtains the proxy settings by loading the URL specified in the profile in the user’s default web browser. As the SGD Client caches the settings it obtains, the SGD Client can be configured to use the settings in the cache so that the user’s default web browser only has to be started once.
To support running the SGD Client in Integrated mode, or in environments that have web browsers without Java technology enabled, you can download and install the SGD Client manually. You download the SGD Client from an SGD server at http://server.example.com, where server.example.com is the name of an SGD server. Click Install the Sun SGD Client to install the SGD Client.
X application objects have a new X Security Extension attribute (--securityextension) that enables the X Security Extension for an application. If you need to run an X application from an application server that might not be secure, enable the X Security Extension and run the application in untrusted mode. This restricts the operations that the X application can perform in the X server and protects the display. X security only works with versions of SSH that support the -Y option. For OpenSSH, this is version 3.8 or later.
The SGD Client on UNIX platform, Linux, and Mac OS X client devices now supports PDF printing. On these clients, printing to an SGD PDF printer causes the document to be displayed in a PDF viewer where the file can be saved or printed. By default SGD supports the following PDF viewers.
|Client Platform||Default PDF Viewer|
|Solaris OS on SPARC technology platforms||Adobe Reader (acroread)|
|Solaris OS on x86 platforms||GNOME PDF Viewer (gpdf)|
|Linux||GNOME PDF Viewer (gpdf)|
|Mac OS X||Preview.app|
Note - When selecting a PDF printer on UNIX platform, Linux, and Mac OS X client devices, there is no difference between the “Universal PDF Printer” and “Universal PDF Viewer” printers as the document is always displayed in a PDF viewer.
The attributes for managing access rights to client drives available for organization, organizational unit and user profile objects apply only to Windows client devices regardless of whether they are connected to Windows, UNIX platform, or Linux applications.
The SGD Enhancement Module must be installed and running on the UNIX platform or Linux application server. Currently you have to manually start the client drive mapping service with the /opt/tta_tem/bin/tem startcdm command.
The application server must have an Network File System (NFS) server installed and running. The NFS server must export a directory to be used for client drive mapping. By default, this is /smb. It is possible to specify a different directory in the /opt/tta_tem/etc/client.prf file. The entry in this file has the format NFS_server/mount/mountpoint.
When client drive mapping is enabled, the user’s client drives or file systems are available by default in the My SGD drives directory in the user’s home directory. The My SGD drives directory is a symbolic link to the NFS share that is used for client drive mapping.
Microsoft Windows XP Professional includes the Remote Desktop feature that enables you to access a computer using the Remote Desktop Protocol. You can now use SGD and Remote Desktop, for example, to give users to access their office PC when they are out of the office. Only full Windows desktop sessions are supported.
You can also install the SGD Enhancement Module on Microsoft Windows XP Professional client devices to provide support for client drive mapping. Advanced load balancing and seamless windows are not supported.
The initial connection between an SGD Client and an SGD server is now secured with SSL. However, after the user logs in, the connection is downgraded to a standard connection. To be able to use SSL permanently for connections to SGD, you must enable SGD security services.
$ tarantella config edit \ ‐‐tarantella-config-array-netservice-proxy-routes route...
If a route includes the :ssl option, you must configure the SGD SSL Daemon to accept unencrypted connections using the SSL Accelerator Support attribute on the Secure Global Desktop Server Settings ⇒ Security tab of the Administration Console, or with the following command:
$ tarantella config edit --security-acceptplaintext 1
When a user connects to SGD for the first time, they see an Untrusted Initial Connection warning message that asks them whether they really want to connect to the SGD server. The message displays the host name and fingerprint of the security certificate for the server they are connecting to. Users should check these details before clicking Yes. Once a user agrees to the connection, they are not prompted again unless there is a problem.
Provide users with a list of host names and fingerprints for the servers that are trusted. Use the tarantella security fingerprint command on each member of the array to obtain a list of fingerprints.
Applications can be assigned a Clipboard Security Level. Data can only be copied if the target application (the application receiving the data) has the same Clipboard Security Level or higher as the source application. This enables Administrators to secure the data available through particular applications.
The SGD Client can be assigned a Clipboard Security Level. Data can only be copied to applications running on the client device if the SGD Client has the same Clipboard Security Level or higher as the source application. This enables Administrators to secure the flow of data outside of SGD.
To use SecurID authentication, first ensure that users can log in to the application server using SecurID before introducing SGD. When you are ready to use SecurID authentication, configure the application to use the securid.exp login script.
By visiting a different URL, or selecting a language on the SGD Web Server Welcome Page (http://server.example.com, where server.example.com is the name of an SGD server), users can run a webtop in their preferred language. The SGD Client can also be started in a preferred language.
|Language||Release Notes||Installation Guide||Administration Guide||Reference Manual||User Guide|
To enable the Expect scripts to work with system prompts in different languages, a new Prompt Locale (--hostlocale) attribute on application server objects enables you to specify the locale of the application server.
Solaris 10 OS Trusted Extensions on SPARC and x86 platforms is now supported. See Support for Solaris 10 OS Trusted Extensions for more details.
See Chapter 1 for more information about supported platforms for this release.
As a result of this change, for this release of SGD, you cannot configure applications to display in a web browser window. The webtop and newbrowser options for the Window Type attribute (--displayusing) have been removed.
See Subject Alternative Names for Server Certificates for more details.
Some overloaded methods were present in the 4.31 release. These methods were distinguished by the number and type of their parameters. All such overloaded methods have been renamed for the 4.40 release. Additionally, the mandatory parameters for the setSessionIdentity method have changed for the 4.40 release.
|Interface Name||Method Name in Version 4.31||Method Name in Version 4.40|
|ITarantellaDatastore||modify(String, String, String)||modifyReplace (String, String, String)|
|ITarantellaEvent||adminSendClientSideMessage (String, String, String, String, String)||adminBroadcastClientSideMessage (String, String, String, String, String)|
|ITarantellaExternalAuth||setSessionIdentity (String, String)||setSessionIdentity (String, String, String)|
|ITarantellaWebtopSession||authenticateSession(String, String, String)||authenticate(String, String, String, String)|
|ITarantellaWebtopSession||authenticateSession(String, String, String, Item, Item)||authenticateExt(String, String, String, String, Item, Item)|
|ITarantellaWebtopSession||setTCCConfiguration (String, String, String, String, String, Item)||setTCCConfigurationOverrides (String, String, String, String, String, Item)|
|Interface Name||Method Name||Description|
|ITarantellaDatastore||deleteObjects||Delete several objects from the SGD datastore.|
|ITarantellaEmulatorSession||adminCount||Count the number of matching application sessions a search would return.|
|ITarantellaPrint||adminCount||Count the number of matching print jobs a search would return.|
|ITarantellaWebtopSession||associateTCC||Associate a user session with an existing SGD Client connection.|
|ITarantellaUtility||searchEnd||Release server resources for a given search.|
To list the SGD web services, go to http://server.example.com/axis/services, where server.example.com is the name of an SGD server. Click on the wsdl link to see the Web Services Description Language (WSDL) listing for an SGD web service.
The WSDL listings for the RPC/Encoded versions of the web services are still included on this page. Do not use the RPC/Encoded versions for developing your own applications. These versions of the web services will be deprecated in future releases.
$ tarantella cache --flush krb5config
The tem status command provides status information for load balancing, UNIX platform audio, and client drive mapping services for the SGD array. The command lists the installed modules and indicates whether they are running or not.
In this release, by default, when you start the SGD Client from the command line or in Integrated mode, the SGD Client assumes that the client device does not have Java technology enabled. A new -use-java argument for the tcc and ttatcc commands configures the SGD Client to use Java technology.
In previous releases, by default, the SGD Client assumed Java technology was enabled. A -no-java argument for the tcc and ttatcc commands was available to override this behavior. This argument has now been deprecated.
Several attributes have been renamed to give shorter attribute names. This prevents errors when typing these attributes on the command line.The following table lists the attribute names that have been renamed.
|Attribute Name in Version 4.31||Attribute Name in Version 4.40|
|Printer Name in Release 4.31||Printer Name in Release 4.4|
|Universal PDF||Universal PDF Printer|
|Print to Local PDF File||Universal PDF Viewer|
For application objects configured with a Window Type setting of Independent Window, a warning dialog is now shown when the application window is closed. The dialog prompts you to confirm that you want to end the application session.
$ tarantella config edit \ --tarantella-config-array-netservice-proxy-routes \ "192.168.10.*:CTSOCKS:taurus.indigo‐insurance.com:8080"
The Object Manager, Array Manager, Session Manager, and Configuration Wizard administration tools are no longer displayed on the Administrator’s webtop. These administration tools have been replaced by a browser-based administration tool called the Administration Console. See SGD Administration Console for more details.
The Configuration Wizard is still included in the SGD distribution, as an example web application. To display the Configuration Wizard, go to http://server.example.com/sgd/admin/configmgr/index.jsp, where server.example.com is the name of an SGD server.
Session Manager is still included in the SGD distribution, as an example web application. To display Session Manager, go to http://server.example.com/sgd/admin/sessmgr/index.jsp, where server.example.com is the name of an SGD server.
If you are using SecurID for application server authentication, objects now use the securid.exp script, rather than the securid/unix.exp script. For backward compatibility, a symbolic link now exists from securid/unix.exp to the new securid.exp script.
An input method (IM) is a program or operating system component that enables users to enter characters and symbols not found on their keyboard. On Microsoft Windows platforms, an IM is called an input method editor (IME).
When running applications, SGD enables an IM if either the TTA_PreferredLocale, TTA_HostLocale, or the LANG (from the application environment overrides) environment variables are set to a locale that requires an IM. The locales that require an IM are controlled by the IM_localeList variable, which is defined in the vars.exp login script.
In version 4.30, it is possible to connect only to one SGD server when the SGD Client is in Integrated mode. In version 4.31, Integrated mode can be used with multiple SGD servers. In the desktop Start or Launch menu, a login link is available for each SGD server.
$ tarantella config edit \ --tarantella-config-array-netservice-proxy-routes route...
$ tarantella config edit \ --tarantella-config-array-netservice-proxy-routes \ "192.168.5.*:CTDIRECT:" \ "192.168.10.*:CTSOCKS:taurus.indigo‐insurance.com:8080"
With this configuration, clients with IP addresses beginning 192.168.5 have a direct connection. Clients with IP addresses beginning 192.168.10 connect using the SOCKS proxy server taurus.indigo-insurance.com on TCP port 8080.
In version 4.31, the startup scripts that ensure SGD services stop and start when an SGD server is rebooted are renamed and restructured. The *Tarantella and *TarantellaWebserver scripts are replaced by a single script named *sun.com‐sgd‐base. The *tem script for the SGD Enhancement Module is now named *sun.com‐sgd‐em.
In version 4.31, the Windows key is disabled in SGD Windows Terminal Services sessions by default. The Windows key is honored in local Windows sessions only. To display the Windows Start menu in an SGD Terminal Services Session, press Alt+Home.
The SGD Terminal Services Client (ttatsc) now supports an additional -windowskey on|off option that enables you to enable support for the Windows key. You can specify this option with the Arguments for Protocol (--protoargs) attribute on the Windows application object.
Version 4.3 introduces a single package for installing SGD. When you install SGD, you install all the packages that previously had to be installed separately, including the font packages. The license keys installed in the array control the SGD components that can be used.
In previous releases, a user preferences file was used to configure the SGD Client on UNIX platform, Linux, and Mac OS X client devices. With the introduction of profiles, this file is no longer used.
In previous releases, the Window Close Action (--windowclose) attribute was only available to X applications that were configured to display using client window management. The use of this attribute is extended to include X, Windows, and character applications that are configured to display using an independent window.
When you install SGD on Linux platforms, Setup automatically creates PAM configuration entries for SGD by copying the current configuration for the passwd program and creating the /etc/pam.d/tarantella file. On Solaris OS platforms, you can add a new entry for SGD (tarantella) in the /etc/pam.conf file if required.
As a result of the changes introduced in this release to support PDF printing on UNIX platform, Linux, and Mac OS X client devices, the Display Adobe Reader Print dialog (--pdfprompt) attribute is removed.
This change means that when users print with the Universal PDF Printer printer on Windows clients, the print job is automatically sent to the client’s default printer. To be able to choose the client printer where a print job is sent, users must now select the Universal PDF Viewer printer.
For Active Directory authentication, a Client Certificates checkbox is available in the Authentication Wizard. If Active Directory is configured to require a client certificate and you created and installed a client certificate for SGD, then you no longer need to configure the user name and password of a privileged user.
The password used for the SGD certificate store, /install‐dir/var/info/certs/sslkeystore, is no longer hard-coded to 123456. Instead, each store now has a random password, which is stored in /install‐dir/var/info/key. Use this password with the -storepass and -keypass options when using the keytool application.
From version 4.1, SGD no longer supports the rlogin and rcmd connection methods for starting applications. If you upgrade from an earlier version, you must change the connection method for any applications that use these methods.
From version 4.1, SGD uses a different attribute for the Maximum Simultaneous User Sessions setting (--tuning-maxconnections). If you upgrade from an earlier version, the default setting for this attribute is applied.
From version 4.0, SGD uses a different emulator for mainframe (3270) applications. 3270 character and 3270 X application objects are no longer available and are replaced by a single 3270 application object. As the new 3270 application object has several new attributes, it is not possible to upgrade existing 3270 application objects. If you upgrade from an earlier version, your existing 3270 character and 3270 X applications are deleted when you upgrade. You must reconfigure these applications.