3.4. Oracle VDI Configuration

3.4.1. Oracle VDI Settings for Sun Ray Software
3.4.2. Default Oracle VDI Settings
3.4.3. Oracle VDI Host Configuration
3.4.4. Desktop Selector Configuration Recommendations
3.4.5. Additional Configuration Recommendations
3.4.6. Configuration Summary

Regular configuration procedures are documented in the Oracle VDI Administration Guide (see Installing Oracle VDI and Configuring Oracle VDI Centers in the Oracle Virtual Desktop Infrastructure Administrator's Guide). Security concerns and recommendations are listed in the following sections.

3.4.1. Oracle VDI Settings for Sun Ray Software

The default Oracle VDI configuration of Sun Ray Software includes the following settings:

  • The Sun Ray data store (admin) password is set to the password entered during Oracle VDI configuration. If no password is specified, a secure auto-generated password is used by default.

  • Sun Ray Software is prepared for use in a failover group, with a secure, auto-generated Sun Ray group signature. As further hosts are added to the Oracle VDI Center, they are added to the Sun Ray Software failover and replication group.

  • The Sun Ray Administration Tool (Admin GUI) is enabled and set up for remote HTTPS access. Administrator authentication is set up to use system authentication.

  • The primary administrator specified when Oracle VDI is configured is added to the list of authorized Sun Ray administrators.

  • The fixed Sun Ray administrator admin account is removed.

  • Kiosk mode is configured with the Oracle Virtual Desktop Infrastructure (vda) kiosk session type.

  • Kiosk mode is set up with the number of kiosk user accounts on each host specified during Oracle VDI configuration.

  • Sun Ray access policy is set up to use kiosk mode with all kinds of tokens and to allow access using the Oracle Virtual Desktop Client.

  • Session access is allowed for any client connecting via (routed) LAN.

3.4.2. Default Oracle VDI Settings

After standard Oracle VDI configuration:

  • Oracle VDI and Sun Ray Software services are running and accepting connections.

  • ALP encryption is set to default (off).

  • Oracle VDI and Sun Ray Software Manager user interfaces are running.

3.4.3. Oracle VDI Host Configuration

Keep the following considerations in mind when configuring a primary host:

  • Initial Primary Administrator

    The default primary administrator suggested by Oracle VDI configuration might not be appropriate for your deployment. If the configuration tool can determine the user name of the user initiating the configuration process, this user is suggested. This suggestion is a reasonable choice, if the configuration is performed by a designated Oracle VDI administrator. If the user name cannot be determined, the root user is suggested (if eligible), which is a poor choice for security-conscious production deployments.

    It is generally poor practice to allow direct login by the local root user into a web-based remote administration tool. For this reason, the root user should not be granted any Oracle VDI administrator role.

    On Oracle Solaris platforms, the initial primary administrator must be a user account. Role accounts are not allowed.

  • Administrator Password

    If you accept the default for this setting, a random, automatically generated password is used. Typically, such a password is more secure than a password specified by a human operator. You do not need to know this password for normal Oracle VDI operation. Unless you have special requirements, it is recommended that you accept the automatically generated default.

    If you later need direct access to the Oracle VDI database or to the Sun Ray Software data store, Oracle VDI provides methods to retrieve this password.

  • User ID Range Start

    This setting defines the lowest number in a range of user IDs. The size of the range is determined by the Maximum Number of Sessions on This Host parameter. If you grow your installation, you may need to expand this range later.

    Do not assign an ID in this range for any actual user. During initial configuration, this is verified and the range moved to higher numbers, if necessary, but this cannot easily be enforced for the future, if you use a central naming service, such as LDAP or NIS for your user accounts.

    Specify this range so that it cannot collide with the range of user IDs you allocate for regular users, preferably by specifying a significantly higher number here.

When configuring secondary hosts, pay particular attention to the verification of the primary host's SSL certificate as described in Adding a Host to an Oracle VDI Center in the Oracle Virtual Desktop Infrastructure Administrator's Guide. Once you accept the authenticity of the primary host, by entering the root password, that host gains access to the full Oracle VDI installation with all internal credentials.

3.4.4. Desktop Selector Configuration Recommendations

To further strengthen Desktop Selector, take the following measures:

  • Enable the Oracle VDI screen lock (see Enabling a Desktop Screen Lock for Sun Ray Clients in the Oracle Virtual Desktop Infrastructure Administrator's Guide).

  • Keep Oracle VDI authentication enabled (default), unless there is a strong reason to disable it.

    # /opt/SUNWvda/sbin/vda settings-setprops -p clientscreenlock=Enabled

    If authentication is disabled at the Oracle VDI level, then authentication must be enforced on the desktop OS.

    # /opt/SUNWvda/sbin/vda settings-setprops -p clientauthentication=Enabled
  • Configure the session idle timeout to a reasonably low value (the default is 180 seconds, i.e., three minutes).

    VDA kiosk session arguments: -t (timeout in seconds)
  • Keep the desktop logout always policy enabled (default).

    # /opt/SUNWvda/sbin/vda settings-setprops -p client.logout.always=Enabled
  • If smart cards/tokens are used, they should be registered explicitly for the desired users, whether through the Sun Ray administration tool or through Oracle VDI administration.

3.4.5. Additional Configuration Recommendations

To strengthen the standard configuration, take the following measures:

  • Use the Sun Ray Software utcrypto command or the Sun Ray Web Admin tool to enable ALP encryption and server authentication (see Sun Ray Software Commands in the Sun Ray Software Administration Guide).

  • Synchronize primary and secondary hosts.

    • Oracle VDI configures the primary host as an NTP (Network Time Protocol) server. If the secondary hosts have different time settings, they can get out of sync with the primary. To prevent this condition, set up NTP on all Oracle VDI hosts (see Time Synchronization in the Oracle Virtual Desktop Infrastructure Administrator's Guide).

    • Use MD5 Fingerprint to authenticate secondary hosts.

  • Configure administrators and their roles.

    • In Sun Ray Software, use the utadminuser command to configure users (see the utadminuser(1M) man page).

    • In Oracle VDI, use the RBAC feature to assign roles (see About Oracle VDI Role-Based Administration in the Oracle Virtual Desktop Infrastructure Administrator's Guide).

  • Disable the Oracle VDI RDP Broker service, if it is not needed.

  • Use the Sun Ray Software utdevadm command to enable or disable device services as needed (see the utdevadm(1M) man page and Enabling and Disabling Device Services in the Sun Ray Software Administration Guide).

3.4.6. Configuration Summary

After initial Oracle VDI configuration completes, the host is in the following state:

  • Oracle VDI and Sun Ray Software services are running and accepting connections.

  • Oracle VDI and Sun Ray Software Manager user interfaces are running. The local root user can log into each management UI with full privileges.

  • Oracle VDI desktops are not configured and are not offered to connecting users.

  • ALP encryption is set to the default (off).

The following settings have been applied to the Sun Ray services on the host:

  • The Admin GUI is enabled and set up for remote HTTPS access.

  • The primary administrator specified when Oracle VDI is configured is added to the list of authorized Sun Ray administrators (see Administration Tool (Admin GUI) in the Sun Ray Software Administration Guide). The fixed Sun Ray administrator admin account is removed.

  • The Sun Ray data store (admin) password is set to the password entered during Oracle VDI configuration. A secure auto-generated password is used by default.

  • Sun Ray Software is prepared for use in a failover group, with a secure, auto-generated Sun Ray group signature. As further hosts are added to the Oracle VDI Center, they are added to the Sun Ray Software failover and replication group.

  • Sun Ray access policy is set up to use kiosk mode for all kinds of access and to allow access using the Oracle Virtual Desktop Client with all kinds of tokens.

  • Kiosk mode is configured with the Oracle Virtual Desktop Infrastructure (vda) kiosk session type.

  • Kiosk mode is set up with the number of kiosk user accounts on each host specified during Oracle VDI configuration.

  • Session access is allowed for any client connecting over a routed LAN.