Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Legal Notices
Some reasons to disable client authentication are:
Reduce administrative overhead: At the cost of security, disabling client authentication saves time required to manage client keys on the servers.
Eliminate log messages during upgrade: If you upgrade a Sun Ray server in a failover group with older servers, the upgraded server will repeatedly produce log messages indicated that it cannot store key data and the server will treat all keys as unconfirmed. Client authentication should be enabled once the entire group is upgraded.
Disabling client authentication creates a security risk. Make sure you understand the consequences before disabling client authentication.
Disabling client authentication applies to all future connections without restarting the Sun Ray server.
Use the following command to disable client authentication:
# utcrypto -a auth_up_type=none
Use -m instead of -a if a
non-default security policy already exists.
To enable client authentication, set the
auth_up_type value to
default.
On the Advanced->Security page, deselect Client Authentication and click Save.
If you don't need to allow access to clients running older versions of firmware, you can improve security by requiring client authentication from all clients.
Use the following command to force client authentication.
# utcrypto -m auth_up_type=DSA auth_mode=hard
Use -a instead of -m if a
non-default security policy already exists.
Navigate to the the Advanced->Security page.
Select the Client Authentication option and select Hard as the Security Mode.
Click Save.
Sun Ray Client keys are initially considered unconfirmed and need to be confirmed as authentic for the specific client by human intervention. Oracle Virtual Desktop Client keys are always considered automatically confirmed (auto-confirmed), because the ID by which a Desktop Access Client is identified is uniquely derived from its key.
The following procedure sets the policy that a confirmed key is required before access to a client is granted. To enact a stronger policy, you should also set up the security policy to require client authentication from all clients, as described in Section 11.8.2, “How to Force Client Authentication From All Clients”.
View the current policies:
# utpolicy Current Policy: -a -g -z both -k pseudo -u pseudo
Set the client authentication policy with the
-c option:
# utpolicy -a -g -z both -k pseudo -u pseudo -c
Restart the Sun Ray services:
# utstart
On the Advanced->System Policy tab page, select the Client Key Confirmation Required option in the Client Authentication section.
Restart all servers in the server group.
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Legal Notices