This section describes the administration privilege requirements for the Sun Ray Software tools and how to secure access to the Sun Ray Software Administration GUI (Admin GUI).
Access to the Sun Ray Software commands require root access to the Sun Ray server. Currently, there is no delegated administration mode for the command line, meaning there is no way to assign privileges to specific users to run specific commands.
Similarly, there is no delegated administration mode for the Sun Ray Software Admin GUI. Anyone who is granted access to the Admin GUI has access to the entire Admin GUI and all the administration tasks you can perform from it. See Administrative Name and Password in the Administration Guide for information about managing the Admin GUI password.
Although there is no way to provide access to specific areas
of the Admin GUI, you can enable more users beyond the
admin
user to access the Admin GUI. See
Section 3.3.2, “Admin GUI” for details.
There are various security considerations when using the Sun Ray Software Admin GUI, including accessing, session timeout, and auditing.
SSL security - You can configure the Admin GUI to require access through SSL, which encrypts the data between the browser and the Admin GUI web server. Enabling SSL is strongly recommended and is enabled by default during the Sun Ray Software installation ("Enable secure connections?" question). Post installation, you can enable or disable SSL with the utconfig -w command.
SSL also provides authentication of the server. By default, the Admin GUI web server is configured with a self-signed certificate that can cause browsers to show a warning when contacting the server, but you can install other certificates if that is preferred. You can also configure the Admin GUI web server to require client certificates for additional security.
Local or Remote Access
- You can configure the Admin GUI to accept connections
only from the local system. Local access is likely to be
more secure than allowing connections from outside the
server. Remote access to the Admin GUI is disabled by
default during the Sun Ray Software installation (Enable
remote server administration?
). Post
installation, you can enable or disable remote access to
the Admin GUI with the utconfig -w
command.
Multiple administration
accounts - By default, only the Sun Ray
Software admin
user account can be used
to access the Admin GUI. However, you can configure any
valid UNIX user ID to be able to access the Admin GUI and
administer Sun Ray services. To do this, you need to add
the user to the utadmin
authorized user
list with the utadminuser command and
configure the appropriate authentication permissions
through the PAM framework using the
utadmingui
PAM service name.
See Administration Tool (Admin GUI) in the Administration Guide for details.
By default, if your Admin GUI session is inactive for 30 minutes, you must log in again. You can increase or decrease the timeout value depending on your security requirements. See How to Change the Admin GUI Timeout for details.
There may be times when you need to determine how or when an
administrative action was performed with the Admin GUI.
Activities performed with the Admin GUI are recorded by
messages sent to syslog
, which by default
are appended to the
/var/opt/SUNWut/log/messages
file. The
text portion of messages begins with the string
utadt::
. The format and content of other
messages in this file are generally highly volatile, but the
format of the utadt::
messages are
considered stable.
See How to Audit Admin GUI Sessions for details.