This tab provides various subpages to administer the following features:
Security - Configure encryption and authentication between client and server and to enable or disable devices globally.
System Policy - Configure group-wide Sun Ray Software policies.
Kiosk Mode - Configure the kiosk session type used for kiosk sessions.
Card Probe Order - Display all the smart card types configured in the Sun Ray data store and set the smart card prob order.
Data Store Password - Change the password of the administrative user.
This page enables you to configure the security policies for the Sun Ray server. See Chapter 11, Client-Server Security for more information.
Configure encryption and server authentication.
Configure client authentication.
Enable or disable access to client devices attached to the Sun Ray Clients.
Enable or disable the clipboard on Oracle Virtual Desktop Clients.
Upstream Encryption - Select to enable encryption from the client to the Sun Ray server.
Downstream Encryption - Select to enable encryption from the Sun Ray server to the client.
Server Authentication - Select to force a server to be authenticated before providing a session to a client.
Security Mode - Choose the security mode for the encryption and server authentication:
Soft - Ensures that connection requests are granted even for Sun Ray Clients that don't support the configured security requirements. If security requirements cannot be met, the session is granted but not secure.
Hard - Ensures that every session is secure. If security requirements cannot be met, the session is refused.
Security mode settings don't apply to Oracle Virtual Desktop Clients. Oracle Virtual Desktop Clients will always be treated as if hard security mode for encryption or authentication is in effect.
Client Authentication - Select to force a client to be authenticated before obtaining a session. A Sun Ray Client whose key has not been confirmed as valid for the given Sun Ray Client will still be allowed access to Sun Ray sessions by default, unless there is a conflict when the client ID (the MAC address) is used with multiple keys. To force client key confirmation, see the See Section B.5.2, “System Policy” for details.
Security Mode - Choose the security mode for client authentication:
Soft - Ensures that connection requests are granted even for Sun Ray Clients that don't support the configured security requirements. If security requirements cannot be met, the session is granted but not secure.
Hard - Ensures that every session is secure. If security requirements cannot be met, the session is refused.
Security mode settings don't apply to Oracle Virtual Desktop Clients. Oracle Virtual Desktop Clients will always be treated as if hard security mode for authentication is in effect.
Internal Serial Port - Select to enable access to the serial port on the Sun Ray Clients.
Internal Smart Card
Reader - Select to enable access to the smart
card readers on the Sun Ray Clients. Choose the smart card
protocol to use, either scbus v1
or
scbus v2
. Choose scbus
v2
unless you are managing Sun Ray Clients running
Sun Ray Software 5.2 firmware or earlier.
USB Port - Select to enable access to the USB ports on the Sun Ray Clients.
Oracle Virtual Desktop Client Clipboard - Select to enable copy and paste text between an application running in an Oracle Virtual Desktop Client session and an application running on the local desktop.
utcrypto
utdevadm
utpolicy
This page enables you to configure group-wide policies. Some policy setting combinations are not allowed, and settings are disabled accordingly to enforce these rules.
Set session polices for smart cards.
Set session polices for non-smart cards.
Enable or disable client key confirmation for client authentication.
Enable or disable the multihead group policy.
Enable or disable Remote Hotdesk Authentication (RHA).
These policies apply to users who try to access a session with a smart card.
Access - Select who can access sessions with a smart card:
None - Select to disable session access with a smart card.
All Users - Select to enable session access to all smart card users.
Users with Registered Tokens - Select to enable session access to all smart card users with a registered token. If enabled, you can also enable self-registration of tokens and if user account authentication is required.
Oracle Virtual Desktop Clients - Select to enable session access on Oracle Virtual Desktop Clients with a smart card.
Kiosk Mode - Select to force the user session to be the kiosk mode session (if configured) when a smart card is used.
These policies apply to users who try to access a session without a smart card.
Access - Select who can access sessions without a smart card:
None - Select to disable session access to users without a smart card.
All Users - Select to enable session access to users without a smart card.
Users with Registered Tokens - Select to enable session access to all users without a smart card and with a registered token. If enabled, you can also enable self-registration of tokens and if user account authentication is required.
Oracle Virtual Desktop Clients - Select to enable session access on Oracle Virtual Desktop Clients without a smart card.
Kiosk Mode - Select to force the user session to be the kiosk mode session (if configured) without a smart card.
Mobile Sessions - Select to enable Non-Smart Card Mobility (NSCM) for sessions, or hotdesking without smart cards. You can also enable the ability for users to exit from Mobile Sessions.
Client Key Confirmation
Required - Select to force client key
confirmation for session access if client authentication is
enabled in the Security page. Once enabled, any new Sun Ray
Client will be denied a regular session when first used. To
allow session access, you must first inspect and confirm the
submitted key as valid. You should also set the Client
Authentication Security Mode to hard
in
the Security page, so clients that do not participate in
client authentication are rejected as well.
Multihead Feature - Select to enable the multihead group feature for the failover group. See Section 12.2, “Multihead Groups” for details.
Direct Session Access Allowed - Select to enable direct access to a session after hotdesking when using smart cards, which is really disabling Remote Hotdesk Authentication (RHA). If you disable RHA, users won't be presented with a login screen when hotdesking. Although this reduces the time it takes for users to hotdesk, it introduces a security risk. For example, if you have a current session and someone gains access to your smart card, the user can gain access to your session without having your login information.
utreader
utpolicy
This page enables you to set the kiosk session type and general properties used when kiosk mode is enabled, such as with the Windows connector or VMware View connector. This page is available only if you have configured kiosk mode as part of the initial Sun Ray Software installation or by using the utconfig command after post installation.
See Chapter 10, Kiosk Mode for more information.
Configure a specific kiosk session type, including general properties and any Windows connector (uttsc command) arguments.
To configure a kiosk session type, fill in the following fields and click OK. Most of the fields are not required, and the system default is applied.
Session - The session type to use for the Kiosk session.
Timeout - Indicates the number of seconds after which a disconnected session will be terminated. If you provide no value for this setting, termination of disconnected sessions will be disabled.
Maximum CPU Time - Indicates the maximum number of CPU seconds per process for kiosk sessions.
Maximum VM Size - Indicates the maximum Virtual Memory size per process for kiosk sessions.
Maximum number of Files - Indicates the maximum number of open files per process for kiosk sessions.
Maximum File Size - Indicates the maximum file size per process for kiosk sessions.
Locale - Indicates the locale to be used by the kiosk session.
Arguments - Indicates a list of Windows connector (uttsc command) arguments that are passed to the kiosk session as it starts. This setting is specific to the kiosk session type. For more information about supported arguments, see Chapter 10, Kiosk Mode.
If a kiosk session is currently configured, the Edit button is displayed, which enables you to edit the currently configured kiosk session type, and the Delete button is displayed, which enables you to delete the currently configured kiosk session type. You can also use the Edit button to change the current kiosk session type, or you can disable kiosk mode policy to ignore the currently configured session type.
utkiosk
This page enables you to set the group-wide smart card probe order, which is an ordered list of the smart card configuration files. Every time a smart card is inserted into a Sun Ray Client, the Sun Ray server tries to identify the card type using the specified probe order. Only smart cards identified by one of the configuration files specified in the probe order list are accepted. You can add or remove smart card configuration files from this list to restrict session access to specific card types.
In the absence of a group-wide probe order, the Sun Ray server
uses the local probe order defined in the
/etc/opt/SUNWut/smartcard/probe_order.conf
file. If no local probe order has been set up, a default probe
order is used. Changes in smart card probe order require Sun Ray
services to be restarted.
See Chapter 8, Smart Card Services for more information.
Add smart card configuration files to the group-wide smart card probe order.
Rearrange the smart card configuration files in the smart card probe order.
Click this button to add, remove, and order the group-wide probe
order for the smart card configuration files. The available
smart card list contains the list of configuration files located
in the server's /etc/opt/SUNWut/smartcard
directory. All files end with a .cfg
suffix, as in, acme_card.cfg
.
utcard
This page enables you to change the password of the
administrative user for privileged access to the Sun Ray data
store. By default, the Admin GUI uses the same account to
authenticate users during login. The initial password of this
admin
user is specified during the Sun Ray
Software configuration.
If you change the password using the Admin GUI, the new password is applied to the Sun Ray data store as well as to the password file on the local server.
In a failover group each server uses its own local password file. Thus, after changing the data store password, you must also manually update the password files on all the other servers, by using the Admin GUI or running the utpw command on each server.
utpw