Securing Oracle SGD

We want to secure Oracle SGD with aim to be able accessible thru https port only and use testing cert. This process is based on SGD 4.50 and 4.60 as we have tested. This step is to enable secure connection from client to SGD Web Server and SGD Server components.

After installation process completed and SGD started properly, we can start to configure SGD to:

  1. Enabling and Start Security in SGD Web Server
    • /opt/tarantella/bin/tarantella security enable
    • /opt/tarantella/bin/tarantella security start
  2. Apply Security connections
    • Edit httpd.conf replace from Listen 443 to Listen 127.0.0.1:443
    • /opt/tarantella/bin/tarantella config edit –security-applyconnections 1
    • /opt/tarantella/bin/tarantella config edit –array-port-encrypted 443
    • /opt/tarantella/bin/tarantella config edit –array –security-firewallurl https://127.0.0.1:443
    • /opt/tarantella/bin/tarantella restart webserver -https
  3. Create secure mapping from Client to SGD Server Edit Profile
    • Login to administration console
    • Choose User Profiles of the user that you want to configure (can be done thru System Objects)
    • Choose Security
    • Click Add, than map pattern Client Address and SGD, than choose connection type Secure, example:
Client Device Address Secure Global Desktop Server Address Connection Type
Connections Defined Directly
* sgd.server.com Secure

Sun Secure Global Desktop – Firewall Friendly

By default there are 4 ports that used by Sun Secure Global Desktop (SSGD) to communicate with clients.

  • 80 – SSGD web server
  • 443 – SSGD web server with SSL
  • 3144 – SSGD Server to SGD Client Device
  • 5307 – SSGD Server to SGD Client Device encrypted

Most all of firewalls configuration, only allow a few ports, and generally ports number 80 (http) and 443 (https) are usually opened.

We can configure SSGD that can only communicate using those 2 ports (80 and 443).

This blog entry is based on fatbloke’s blog entries.

I just wrap up both entres into single page 🙂

  1. Need an X.509 certificate, you can buy it from Certificate Authority (CA) or using self signed certificate for demo and test purpose
    # /opt/tarantella/bin/tarantella security certrequest \\
      --country US --state CA --orgname "Acme Widgets Ltd"
    # /opt/tarantella/bin/tarantella security selfsign
  2. Start SSGD in security mode:
    # /opt/tarantella/bin/tarantella security start
  3. Edit /opt/tarantella/webserver/apache/*/conf/httpd.conf
    Change this line:

    Listen 443

    to:

    Listen 127.0.0.1:443
  4. Set up SSGD to listen to port 443:
    # /opt/tarantella/bin/tarantella config edit \\
      --array-port-encrypted 443
  5. Tell SSGD where to send non-AIP traffic
    # /opt/tarantella/bin/tarantella config edit \\
      --security-firewallurl https://127.0.0.1:443
  6. Restart SSGD webserver in ssl mode
    # /opt/tarantella/bin/tarantella webserver \\
      restart --ssl
  7. Restart SSGD
    # /opt/tarantella/bin/tarantella restart