Java Desktop System Configuration Manager Release 1.1 Installation Guide

Chapter 5 Installing Desktop Components on Linux and SolarisTM

This chapter provides information specific to Solaris and Linux operating systems.

To access the configuration data from the Configuration Manager, a desktop client requires the JavaTM Desktop System Configuration Agent. The Configuration Agent communicates with the remote configuration data repository and the adapters as well as integrates data into specific configuration systems. The configuration systems that are currently supported are GConf, Java Preferences, Mozilla Preferences, and StarOffice Registry.

Configuration Agent

The Configuration Agent is part of a number of different packages, which are listed in the following table:

Solaris Package Name 

Linux RPM Name 

Description 

SUNWapbas 

apoc-base 

Configuration Shared libraries 

SUNWapmsc 

apoc-misc 

Configuration Agent miscellaneous files 

SUNWapoc 

apoc 

Configuration Agent 

SUNWapdc 

apoc-config 

Configuration Agent wizard 

When you install these packages, the files that are required for this API are installed. You can install the packages manually or through the Java Desktop System installation. After installation, you must configure and enable the Configuration Agent on your system.

To access the remote configuration data, the Configuration Agent requires some minimal bootstrap information, such as the host name and port of the LDAP server. This information is maintained in a set of properties files, such as policymgr.properties, apocd.properties, os.properties. These files are stored locally in the /etc/apoc directory. You can manually edit these properties files, or you can use the configuration wizard for the Configuration Agent.

The configuration wizard offers a graphical user interface that guides you through the necessary settings of the Configuration Agent. For each page of the wizard, a corresponding help screen is available. You can start the wizard as super user (root) by means of the /usr/bin/apoc-config script. A corresponding desktop menu entry is also available under Preferences/System Tools/Network Settings, or under system-settings:///Network Settings in the Nautilus file manager.


Note –

The wizard can also be started without launching the graphical interface. For example, execute /usr/bin/apoc-config -nodisplay to start the wizard in console mode.


Bootstrap Information

Figure 5–1 Configuration Agent, Configuration Repository

Configuration Agent, Configuration Repository


Note –

Associated property file keys are indicated in parentheses, where appropriate.


Figure 5–2 Configuration Agent, Authentication Mechanism

Configuration Agent, Authentication Mechanism

Port Settings

The Configuration Agent uses two ports:

Figure 5–3 Configuration Agent, Port Settings

Configuration Agent, Port Settings

Change Detection Interval

The Configuration Agent periodically checks for any changes in the configuration data using the following two intervals:

You can use the general detection interval to tune the propagation of remote configuration data changes to client side applications. The value provided for this setting is the maximum length of time in minutes that elapses before remotely made changes are reflected in the client applications.

Smaller values result in increased Configuration Agent and LDAP server activity. As a result, use caution when you adjust the value of the settings. For example, in an initial deployment phase, you can set the value to one minute so that you can test the impact of remote configuration on client applications. After you complete the testing, return this setting to the initial value.

Operational Settings

Figure 5–4 Configuration Agent, Data Directory

Configuration Agent, Data Directory

The following settings can be configured:

Figure 5–5 Configuration Agent, Request Handling and Logging

Configuration Agent, Request Handling and Logging


Note –

Most of the operational settings, with the exception of the Data Directory and Connection Timeout settings, can also be maintained centrally through corresponding policies stored in the LDAP server. If you want to use this feature, do not adapt the corresponding settings by means of the wizard. Instead, use the Configuration Agent policies within the Configuration Manager to centrally specify operational settings.


Applying Agent Settings

With the exception of "Data Directory" and "Connection Timeout", operational settings that have been stored on the LDAP server by means of the Configuration Manager take effect automatically at the next change detection cycle for the agent configuration (see DaemonChangeDetectionInterval).

Figure 5–6 Configuration Agent, Summary Page

Configuration Agent, Summary Page

All other settings changed locally require a reload or restart of the Configuration Agent. The reload or restart is performed automatically if you use the configuration wizard.


Note –

To manually restart the Configuration Agent, ensure that no related client applications are running, log in as root, and type the command /usr/lib/apoc/apocd restart.


Data Access/User Authentication

The Configuration Agent retrieves information from the LDAP server based on the login ID of a desktop user. The User/UniqueIdAttribute setting of the organizational mapping file maps the login ID to a user entity in the LDAP server. The Configuration Agent also retrieves information about the host, such as the name or the IP address of the host. This information is mapped to a host entity in the LDAP server through the Host/UniqueIdAttribute setting of the organizational mapping file.

There are two methods to access the LDAP server, namely anonymously or with GSSAPI. For anonymous access, no action is required on the desktop. For the GSSAPI method, Kerberos credentials must be acquired on the desktop. To integrate Kerberos credential acquisition with the user login, the pam_krb5 module must be installed and configured on the Java Desktop System host.

You can use gdm to integrate Kerberos with the user login, for example, by using the following /etc/pam.d/gdm file:


#%PAM-1.0
auth   required    pam_unix2.so  nullok #set_secrpc
auth   optional  pam_krb5.so use_first_pass missing_keytab_ok ccache=SAFE putenv_direct
account required    pam_unix2.so 
password required    pam_unix2.so  #strict=false
session required    pam_unix2.so  # trace or none
session required    pam_devperm.so 
session optional    pam_console.so 

If you integrate Kerberos with user login in this way, you should enable the screensaver's Kerberos support. For example, by using the following /etc/pam.d/xscreensaver file:


auth required pamkrb5.so use_first_pass missing_keytab_ok 
ccache=SAFE putenv_direct

GConf Adapter

The GConf adapter is part of the SUNWapoc-adapter-gconf package for Solaris and the apoc-adapter-gconf RPM for Linux. When you install the adapter from the corresponding package or RPM, the GConf data sources path in /etc/gconf/2/path is updated to include the Configuration Manager sources. The two data sources that are provided by the adapter are:

Java Preferences Adapter

The Java Preferences adapter is part of the SUNWapcj package for Solaris and the apoc-adapter-java RPM for Linux. When you install the adapter from the corresponding package or RPM, the required files are added in the /opt/SUNWapcj directory on Solaris, or /opt/apocjava on Linux.

Mozilla Adapter

The Mozilla adapter is part of the SUNWmozapoc-adapter package for Solaris and the mozilla-apoc-integration RPM for Linux. When you install the adapter from the corresponding package or RPM, the required files are added to an existing installation of Mozilla. The files are automatically registered.

StarOffice Adapter

The StarOffice adapter is included in a standard StarOffice installation and allows you to access the policy configuration data without any special modifications.