Securing Oracle SGD

We want to secure Oracle SGD with aim to be able accessible thru https port only and use testing cert. This process is based on SGD 4.50 and 4.60 as we have tested. This step is to enable secure connection from client to SGD Web Server and SGD Server components.

After installation process completed and SGD started properly, we can start to configure SGD to:

  1. Enabling and Start Security in SGD Web Server
    • /opt/tarantella/bin/tarantella security enable
    • /opt/tarantella/bin/tarantella security start
  2. Apply Security connections
    • Edit httpd.conf replace from Listen 443 to Listen 127.0.0.1:443
    • /opt/tarantella/bin/tarantella config edit –security-applyconnections 1
    • /opt/tarantella/bin/tarantella config edit –array-port-encrypted 443
    • /opt/tarantella/bin/tarantella config edit –array –security-firewallurl https://127.0.0.1:443
    • /opt/tarantella/bin/tarantella restart webserver -https
  3. Create secure mapping from Client to SGD Server Edit Profile
    • Login to administration console
    • Choose User Profiles of the user that you want to configure (can be done thru System Objects)
    • Choose Security
    • Click Add, than map pattern Client Address and SGD, than choose connection type Secure, example:
Client Device Address Secure Global Desktop Server Address Connection Type
Connections Defined Directly
* sgd.server.com Secure
Advertisements

Installing Oracle Secure Global Desktop on Solaris 10 Non-Global Zone

After several years I am not playing around with Secure Global Desktop (SGD), recently I tried to install Sun Secure Global Desktop in non-global zone of Solaris 10.

First attempt installation using SGD 4.5, it was failed. Second trial is using SGD 4.41, that I have tried before and works, but the only different is the Solaris version. It was using Sun Solaris instead of Oracle Solaris.

The error is unable to start SGD server, after digging got an error because the installer is unable to opening specific port. Try find it thru Google and forum no luck.

Then check ulimit, voila, the default nofiles in non-global zone is very small, that’s why the installer is always failed, and even it starting, when we tried to login thru browser, we will get java.io.Exception.

So, I tried to increase the nofiles limit, you can use traditional with ulimit command per session based, for zone based you can achieve thru projects.

Just login to non-global zone and edit /etc/project and edit this line look like:

user.root:1::::process.max-file-descriptor=(basic,8192,deny)

It means we will set nofiles limit to 8192. To understand about project you can open Solaris documentation chapter Projects and Tasks.