Some reasons to disable client authentication are:
Reduce administrative overhead: At the cost of security, disabling client authentication saves time required to manage client keys on the servers.
Eliminate log messages during upgrade: If you upgrade a Sun Ray server in a failover group with older servers, the upgraded server will repeatedly produce log messages indicated that it cannot store key data and the server will treat all keys as unconfirmed. Client authentication should be enabled once the entire group is upgraded.
Disabling client authentication creates a security risk. Make sure you understand the consequences before disabling client authentication.
Disabling client authentication applies to all future connections without restarting the Sun Ray server.
Use the following command to disable client authentication:
# utcrypto -a auth_up_type=none
Use -m
instead of
-a
if a non-default security policy
already exists.
To enable client authentication, set the
auth_up_type
value to
default
.
If you don't need to allow access to clients running older versions of firmware, you can improve security by requiring client authentication from all clients.
Use the following command to force client authentication.
# utcrypto -m auth_up_type=DSA auth_mode=hard
Use -a
instead of
-m
if a non-default security policy
already exists.
Sun Ray Client keys are initially considered unconfirmed and need to be confirmed as authentic for the specific client by human intervention. Sun Desktop Access Client keys are always considered automatically confirmed (auto-confirmed), because the ID by which a Desktop Access Client is identified is uniquely derived from its key.
The following procedure sets the policy that a confirmed key is required before access to a client is granted. To enact a stronger policy, you should also set up the security policy to require client authentication from all clients, as described in Section 8.8.2, “How to Force Client Authentication From All Clients”.
View the current policies:
# utpolicy Current Policy: -a -g -z both -k pseudo -u pseudo
Set the client authentication policy with the
-c
option:
# utpolicy -a -g -z both -k pseudo -u pseudo -c
Restart the Sun Ray services:
# utstart