Secure Global Desktop 4.40 Administration Guide > Getting Started > Users and Trusted SGD Servers
|Read This Topic to...|
When SGD is first installed, the initial connection between an SGD Client and an SGD server is secured with SSL. However, after the user has logged in, the connection is downgraded to a standard connection. To be able to use SSL permanently for connections to SGD, you must enable SGD security services.
In addition to using SSL, SGD also requires users to authorize their connections to SGD so that they only connect to trusted servers. The first time a user connects to an SGD server, they see an Untrusted Initial Connection message advising that they are connecting to a server for the first time.
Note If there is a problem with the server's security certificate, a security warning displays before the Untrusted Initial Connection message.
Users must check these details before clicking Yes. Show users how to check the details as follows:
If the details are correct, users can click Yes to agree to the connection.
Once a user has agreed to the connection, the host name and
the fingerprint of the certificate are added to the
hostsvisited file on the client device. The
hostsvisited file is
stored in the same location as the user's client profile cache.
The user is not prompted again about the connection unless there is a problem.
If there is a problem with the connection, for example because the fingerprint of the server certificate has changed, a Potentially Unsafe Connection message displays.
To ensure that users only connect to SGD servers that are trusted, Secure Global Desktop Administrators can do the following:
tarantella security fingerprintcommand on each SGD server in the array to obtain a list of fingerprints.
hostsvisitedFile for Additional Security
You can use use a pre-configured
hostsvisited file to restrict the SGD servers that
the Sun Secure Global Desktop Client can connect to. To do this you need to install the pre-configured
hostsvisited file on the client device.
The easiest way to create a pre-configured
hostsvisited file is to copy and edit an existing
You also have to add a <allowhostoverride> line manually to the
hostsvisited file, as shown in the following example:
<?xml version="1.0" encoding="UTF-8" ?> <array> <allowhostoverride>0</allowhostoverride> <server peername="boston.indigo-insurance.com"> <certfingerprint>51:B7:6D:FA:6E:3B:BE:ED:37:73:D4:9D:5B:C5:71:F6</certfingerprint> </server> </array>
If you omit <allowhostoverride> line, this only stops users from being prompted when they connect to any of the SGD servers
listed in the
hostsvisited file. It does not prevent the SGD Client from connecting to other servers.
Copyright © 1997-2007 Sun Microsystems, Inc. All rights reserved.