2.2. Management Layer

2.2.1. Common Agent Container
2.2.2. Oracle VDI Service
2.2.3. Oracle VDI Center Agent
2.2.4. Oracle VDI Manager
2.2.5. Oracle VDI Command-Line Tools
2.2.6. Oracle VDI Database
2.2.7. User Directory
2.2.8. Enterprise Manager Plug-in for Oracle VDI

This section describes the functions of the elements used to manage Oracle VDI desktops and monitor the Oracle VDI environment.

2.2.1. Common Agent Container

The Common Agent Container, usually called Cacao, is a Java Management Extensions (JMX) management object container that provides JMX-compliant, secure access through one or more communication protocols. Management services that provide JMX interfaces can be realized as Cacao modules and executed within an instance of the Cacao daemon. Initial Cacao setup creates a self-signed Certificate Authority (CA) certificate for each configured instance. Communication is secured by certificates derived from this CA certificate.

Several Oracle VDI services are implemented as Cacao modules. These modules share a single Cacao daemon instance, named vda, which restricts access to privileged users and well-known peers whose CA or service certificate is registered in its trust keystore. Clients access the modules via secure SSL connections.

All Cacao modules log important events and access decisions, as well as more detailed information that is useful for troubleshooting, into a common, per-instance log file. (See Checking Oracle VDI Services and Logs in the Oracle Virtual Desktop Infrastructure Administrator's Guide for information about this file and how to configure logging.) By default, every user of the Oracle VDI host can read the Cacao log file.

2.2.2. Oracle VDI Service

The main Oracle VDI Service module is a Cacao module that manages virtualization and storage hosts to provide the services needed by Oracle VDI clients. It accesses the Oracle VDI database to store configuration data and runtime state shared by the entire Oracle VDI Center, or cluster of hosts running Oracle VDI (see Installing Oracle VDI and Configuring Oracle VDI Centers in the Oracle Virtual Desktop Infrastructure Administrator's Guide). The Oracle VDI Service also performs the administrative action requests it receives through the Oracle VDI web-based and command-line administration interfaces.

The Oracle VDI Service accepts requests only from local clients and administrative components. Every request requires appropriate authentication and authorization.

Client requests require user credentials that are authenticated against the configured User Directory, unless client authentication is disabled. Local components that can submit client requests include the Web Service API hosted by the Oracle VDI web server and the vda-client command-line interface. These components use a private interface based on local sockets to connect to the Oracle VDI Service.

Administrative requests require user authentication against the Oracle VDI host's passwd name service and authorization through assigned administrator roles.

The Oracle VDI Service stores keys or passwords for virtualization and storage hosts securely in the Oracle VDI database. Credentials for access to the Oracle VDI database are stored in local files on the Oracle VDI host with restrictive access permissions. Oracle VDI administrators should protect privileged accounts on these hosts, as well as backups of host configuration data, against unauthorized access.

2.2.3. Oracle VDI Center Agent

The Oracle VDI Center Agent is a Cacao module that resides in the same Cacao agent instance as the Oracle VDI Service. The Oracle VDI Center Agent accepts administrative requests from privileged clients on the local host and internal requests from peer agents on other hosts in the Oracle VDI Center. It also accepts queries for selected monitoring data from remote agents that authenticate as a valid user.

Communication between Oracle VDI Center Agents on different hosts also uses secure SSL connections. When a new host joins the Oracle VDI Center, it exchanges public certificates with the existing members. To ensure that this exchange takes place with the correct host, the configuration process presents a certificate fingerprint of the host being contacted for user verification.

The Oracle VDI Center Agent monitors and performs administrative actions on all local Oracle VDI Services but does not interact directly with virtualization or desktop hosts, storages, or the Oracle VDI database.

2.2.4. Oracle VDI Manager

Oracle VDI Manager is the browser-based graphical tool for Oracle VDI administration. It is implemented by a non-privileged web server process. The same web server also provides the Oracle VDI web service API.

Connections to the Oracle VDI Manager use the HTTPS protocol. The Oracle VDI Manager offers an HTTP interface for initial contact, but that immediately redirects the web browser to the secure HTTPS port.

By default, the Oracle VDI Manager web server uses a self-signed certificate, so that users are required to accept a security exception when contacting the Oracle VDI Manager.

Oracle VDI Manager requires the administrator to log in using a local user account on the Oracle VDI host. The login credentials are used to authenticate requests to the Oracle VDI Service. Only user accounts with Oracle VDI administrator privileges are permitted to log in.

Once logged in, access to view and edit Oracle VDI configuration is restricted based on the assigned administrator roles.

The root user can only access Oracle VDI Manager if they are assigned an administrator role.

2.2.5. Oracle VDI Command-Line Tools

The vda and vda-backup command-line tools issue requests to the VDA service, which applies role-based authorizations to each request. Both tools require password authentication for all non-root users. Other Oracle VDI command-line tools generally require local root privileges.

The root user can always run Oracle VDI commands, even if they are not assigned any administrator roles.

2.2.6. Oracle VDI Database

Oracle VDI stores most of its operation and configuration data in a MySQL database shared by all hosts. Oracle VDI automatically sets up and configures an embedded MySQL Server database. Administrators have the option of setting up and configuring a remote MySQL database to suit their own requirements.

Note

Administrators who choose to use a remote database are responsible for configuring appropriate security. Those who do not have full control may have to negotiate security with one or more database administrators. See the documentation for your version of MySQL for information about secure configuration, such as Security in MySQL in the MySQL 5.6 Reference Manual.

Oracle VDI uses a special database user account to access Oracle VDI data. Unless you use a remote database and specifies an existing account or a password, Oracle VDI generates a secure, random password for this account. Long, randomly generated passwords are generally more secure than shorter ones that are easier to remember or that may have been used before. Oracle VDI stores credentials for database access in a local file with restrictive privileges.

Oracle VDI also uses an account with administrative privileges in the database for certain database configuration tasks. This account is not used in normal operation. Unless you use an existing database account (remote database only) or to specify a password during configuration, Oracle VDI generates a secure, random password for this account, too. Oracle VDI stores credentials for database reconfiguration in a local file with restrictive privileges.

When an embedded MySQL Server database is configured for high availability, Oracle VDI uses another predefined account for database replication.

Oracle VDI uses secure SSL connections to access the embedded Oracle VDI MySQL Server database, using a short-lived ("throwaway") CA to generate server and client certificates for securing database access. This facilitates replacing the whole set (CA certificate, client certificate, and server certificate), rather than individual certificates, for instance, if there is reason to believe that any of the involved keys has been compromised.

If you are using a remote database, it is your responsibility to set up SSL on the database server and provide the required certificates to Oracle VDI at configuration time.

2.2.7. User Directory

Oracle VDI uses an existing User Directory for user identification and authentication, associating desktops with users from the directory according to policies or direct assignments. Oracle VDI supports Active Directory (AD) or LDAP directories and five levels, or types, of authentication to use with these directories:

  • LDAP Anonymous Authentication

    Anonymous authentication is useful for quick integration with an LDAP server but is not recommended for production environments. The connection from Oracle VDI to the User Directory is not authenticated at all. Anonymous read access is required on the directory.

  • LDAP Simple Authentication

    Simple authentication is the recommended choice for production platforms that integrate with LDAP directories other than Active Directory. The connection from Oracle VDI to the User Directory is authenticated by the credentials (user distinguished name (DN) and password) of an administrator.

  • LDAP Secure Authentication

    With secure authentication, the connection from Oracle VDI to the User Directory is authenticated by the credentials (user DN and password) of an administrator and secured by SSL.

  • Kerberos Authentication

    Kerberos Authentication is the typical choice for integration with Microsoft Active Directory. The connection from Oracle VDI to the User Directory is authenticated by the Kerberos protocol, using the credentials (user name and password) of an administrator.

  • Public Key Authentication

    Public key authentication is recommended for integration with Microsoft Active Directory when the domain controller requires LDAP signing (see How to Enable LDAP Signing in Windows Server 2008). The connection to the User Directory is authenticated by a client certificate and secured by SSL.

Both Active Directory and LDAP also provide encryption so that user credentials are not submitted as plain text. See About User Directory Integration in the Oracle Virtual Desktop Infrastructure Administrator's Guide for more information about user directories in Oracle VDI.

2.2.8. Enterprise Manager Plug-in for Oracle VDI

The Enterprise Manager Plug-in for Oracle VDI adds support for monitoring Oracle VDI resources, which are called targets in Oracle Enterprise Manager. The plug-in is deployed onto two Oracle Enterprise Manager components: a Management Server (OMS) and a Management Agent. By deploying the plug-in you add management, discovery and monitoring capabilities for Oracle VDI targets.

The Management Agent establishes a secure communication channel (SSL) to an Oracle VDI Center Agent. It retrieves metric and configuration data through the Oracle VDI Center Agent. No configuration changes are required on any Oracle VDI host. The Management Agent may run on a host that is not part of the Oracle VDI environment. For example, it could run on the Oracle Enterprise Manager host itself. A single Management Agent is sufficient to monitor an entire Oracle VDI installation.

To collect information from the Oracle VDI environment, the Management Agent must be authenticated as an Oracle VDI administrator with company monitor and provider monitor privileges. Additional privileges are not required. At regular intervals, the Management Agent uploads collected data over an encrypted connection to the OMS, which stores it securely in the Management Repository.

For secure deployment of the Enterprise Manager Plug-in for Oracle VDI, certain security requirements must be fulfilled by the Oracle Enterprise Manager installation. These requirements include:

  • controlled access to the Management Console and monitoring targets

  • secure communication between the Management Agent and OMS

  • secure overall Oracle Enterprise Manager configuration, in particular the administrator account credentials used for monitoring

For details about security in an Oracle Enterprise Manager environment, see the chapter Configuring Security in the Oracle Enterprise Manager Cloud Control Administrator's Guide.