3.4. Oracle VDI Configuration

3.4.1. Oracle VDI Settings for Sun Ray Software
3.4.2. Default Oracle VDI Settings
3.4.3. Oracle VDI Host Configuration
3.4.4. Desktop Selector Configuration Recommendations
3.4.5. Additional Configuration Recommendations
3.4.6. Configuration Summary

Regular configuration procedures are documented in the Oracle VDI Administration Guide (see Installing Oracle VDI and Configuring Oracle VDI Centers). Security concerns and recommendations are listed in the following sections.

3.4.1. Oracle VDI Settings for Sun Ray Software

The default Oracle VDI configuration of Sun Ray Software includes the following settings:

  • The Sun Ray data store (admin) password is set to the password entered during Oracle VDI configuration. If no password is specified, a secure auto-generated password is used by default.

  • Sun Ray Software is prepared for use in a failover group, with a secure, auto-generated Sun Ray group signature. As further hosts are added to the Oracle VDI Center, they are added to the Sun Ray Software failover and replication group.

  • The Sun Ray Administration Tool (Admin GUI) is enabled and set up for remote HTTPS access. Administrator authentication is set up to use system authentication.

  • The system root account is added to the list of authorized Sun Ray administrators.

  • The fixed Sun Ray administrator admin account is removed.

  • Kiosk mode is configured with the Oracle VDI vda kiosk session type.

  • Kiosk mode is set up with the number of kiosk user accounts on each host specified during Oracle VDI configuration.

  • Sun Ray access policy is set up to use kiosk mode with all kinds of tokens and to allow access using the Oracle Virtual Desktop Client.

  • Session access is allowed for any client connecting via (routed) LAN.

3.4.2. Default Oracle VDI Settings

After standard Oracle VDI configuration:

  • Oracle VDI and Sun Ray Software services are running and accepting connections.

  • ALP encryption is set to default (off).

  • Oracle VDI and Sun Ray Software Manager user interfaces are running.

3.4.3. Oracle VDI Host Configuration

Please keep the following considerations in mind when configuring a primary host:

  • Administrator Password

    If you accept the default for this setting, a random, automatically generated password is used. Typically, such a password is more secure than a password specified by a human operator. You do not need to know this password for normal Oracle VDI operation. Unless you have special requirements, it is recommended that you accept the automatically generated default.

    If you later need direct access to the Oracle VDI database or to the Sun Ray Software data store, Oracle VDI provides methods to retrieve this password.

  • User ID Range Start

    This setting defines the lowest number in a range of user IDs. The size of the range is determined by the Maximum Number of Sessions on This Host parameter. If you grow your installation, you may need to expand this range later.

    Do not assign an ID in this range for any actual user. During initial configuration, this is verified and the range moved to higher numbers, if necessary, but this cannot easily be enforced for the future, if you use a central naming service, such as LDAP or NIS for your user accounts.

    Specify this range so that it cannot collide with the range of user IDs you allocate for regular users, preferably by specifying a significantly higher number here.

When configuring secondary hosts, pay particular attention to the verification of the primary host's SSL certificate as described in Configuring Oracle VDI on a Secondary Host. Once you accept the authenticity of the primary host, by entering the root password, that host gains access to the full Oracle VDI installation with all internal credentials.

3.4.4. Desktop Selector Configuration Recommendations

To further strengthen Desktop Selector, take the following measures:

  • Enable the Oracle VDI screen lock (see How to Enable Desktop Screen Locking on Sun Ray Clients).

  • Keep Oracle VDI authentication enabled (default), unless there is a strong reason to disable it.

    # /opt/SUNWvda/sbin/vda settings-setprops -p clientscreenlock=Enabled

    If authentication is disabled at the Oracle VDI level, then authentication must be enforced on the desktop OS.

    # /opt/SUNWvda/sbin/vda settings-setprops -p clientauthentication=Enabled
  • Configure the session idle timeout to a reasonably low value (the default is 180 seconds, i.e., three minutes).

    VDA kiosk session arguments: -t (timeout in seconds)
  • Keep the desktop logout always policy enabled (default).

    # /opt/SUNWvda/sbin/vda settings-setprops -p client.logout.always=Enabled
  • If smart cards/tokens are used, they should be registered explicitly for the desired users, whether through the Sun Ray administration tool or through Oracle VDI administration.

3.4.5. Additional Configuration Recommendations

To strengthen the standard configuration, take the following measures:

  • Use the Sun Ray Software utcrypto CLI or the Sun Ray Web Admin tool to enable ALP encryption and server authentication (see Admin GUI Tools and Commands in the Sun Ray Software 5.3 Administration Guide).

  • Synchronize primary and secondary hosts.

    • Oracle VDI configures the primary host as an NTP (Network Time Protocol) server. If the secondary hosts have different time settings, they can get out of sync with the primary. To prevent this condition, set up NTP on all Oracle VDI hosts (see Time Synchronization).

    • Use MD5 Fingerprint to authenticate secondary hosts.

  • Configure administrators and their roles.

  • Disable the Oracle VDI RDP Broker service, if it is not needed.

  • Use the Sun Ray Software utdevadm CLI to enable or disable device services as needed (see the utdevadm(1M) man page and How to Enable or Disable USB Services in the Sun Ray Software 5.3 Administration Guide).

3.4.6. Configuration Summary

After initial Oracle VDI configuration completes, the host is in the following state:

  • Oracle VDI and Sun Ray Software services are running and accepting connections.

  • Oracle VDI and Sun Ray Software Manager user interfaces are running. The local root user can log into each management UI with full privileges.

  • Oracle VDI desktops are not configured and are not offered to connecting users.

  • ALP encryption is set to the default (off).

The following settings have been applied to the Sun Ray services on the host:

  • The Admin GUI is enabled and set up for remote HTTPS access.

  • The system root account is added to the list of authorized Sun Ray administrators (see Administrative Name and Password in the Sun Ray Software 5.3 Administration Guide). The fixed Sun Ray administrator admin account is removed.

  • The Sun Ray data store (admin) password is set to the password entered during Oracle VDI configuration. A secure auto-generated password is used by default.

  • Sun Ray Software is prepared for use in a failover group, with a secure, auto-generated Sun Ray group signature. As further hosts are added to the Oracle VDI Center, they are added to the Sun Ray Software failover and replication group.

  • Sun Ray access policy is set up to use kiosk mode for all kinds of access and to allow access using the Oracle Virtual Desktop Client with all kinds of tokens.

  • Kiosk mode is configured with the Oracle Virtual Desktop Infrastructure vda kiosk session type.

  • Kiosk mode is set up with the number of kiosk user accounts on each host specified during Oracle VDI configuration.

  • Session access is allowed for any client connecting over a routed LAN.