Securing Oracle SGD

We want to secure Oracle SGD with aim to be able accessible thru https port only and use testing cert. This process is based on SGD 4.50 and 4.60 as we have tested. This step is to enable secure connection from client to SGD Web Server and SGD Server components.

After installation process completed and SGD started properly, we can start to configure SGD to:

  1. Enabling and Start Security in SGD Web Server
    • /opt/tarantella/bin/tarantella security enable
    • /opt/tarantella/bin/tarantella security start
  2. Apply Security connections
    • Edit httpd.conf replace from Listen 443 to Listen 127.0.0.1:443
    • /opt/tarantella/bin/tarantella config edit –security-applyconnections 1
    • /opt/tarantella/bin/tarantella config edit –array-port-encrypted 443
    • /opt/tarantella/bin/tarantella config edit –array –security-firewallurl https://127.0.0.1:443
    • /opt/tarantella/bin/tarantella restart webserver -https
  3. Create secure mapping from Client to SGD Server Edit Profile
    • Login to administration console
    • Choose User Profiles of the user that you want to configure (can be done thru System Objects)
    • Choose Security
    • Click Add, than map pattern Client Address and SGD, than choose connection type Secure, example:
Client Device Address Secure Global Desktop Server Address Connection Type
Connections Defined Directly
* sgd.server.com Secure
Advertisements

Installing Oracle Secure Global Desktop on Solaris 10 Non-Global Zone

After several years I am not playing around with Secure Global Desktop (SGD), recently I tried to install Sun Secure Global Desktop in non-global zone of Solaris 10.

First attempt installation using SGD 4.5, it was failed. Second trial is using SGD 4.41, that I have tried before and works, but the only different is the Solaris version. It was using Sun Solaris instead of Oracle Solaris.

The error is unable to start SGD server, after digging got an error because the installer is unable to opening specific port. Try find it thru Google and forum no luck.

Then check ulimit, voila, the default nofiles in non-global zone is very small, that’s why the installer is always failed, and even it starting, when we tried to login thru browser, we will get java.io.Exception.

So, I tried to increase the nofiles limit, you can use traditional with ulimit command per session based, for zone based you can achieve thru projects.

Just login to non-global zone and edit /etc/project and edit this line look like:

user.root:1::::process.max-file-descriptor=(basic,8192,deny)

It means we will set nofiles limit to 8192. To understand about project you can open Solaris documentation chapter Projects and Tasks.

Solaris 10 10/08 (U6) ZFS Root Installation Tip

If you wish to install the new Solaris 10 10/08 using ZFS for its root file system, you might not see it in GUI installation mode.

That’s why you need to install it using Text/Console mode. Just choose number 4 in the first prompt of the installation process.

In one of wizard step, you are prompted either using ZFS or UFS, just choose ZFS instead. Then, fill the pool name, choose the size of root pool swap and dump area, and how you want to store /var.

xVM with Marvell Yukon Ethernet Driver

I have days problem with enabling my Marvell Yukon Ethernet Driver (in may case, I’m using 88E8056) working with Sun xVM VirtualBox and xVM in either Solaris 10 or Nevada B80/B93. I used driver comes from Marvell, I have test 2 versions of drivers, but no luck. All version, when I issued dladm show-dev command. it always indicate that the status is UNKNOWN.

After searching around just realize that xVM needs GLD v3 network drivers that is not provided by Marvell, this link is very useful for me, so I replicated from that site become newer version:

  • Obtain ON source here and extract it
  • Obtain driver source here (in this case I’m using version 2.6.1, or you can get newer version) and extract it
  • Make sure that skge (from Solaris/OpenSolaris Installer) or yukonx (from Marvell) were removed
  • Do this thing:

$ gzcat myk-2.6.1.tar.gz | tar xf -
$ cd myk-2.6.1
$ rm Makefile.config
$ ln -s Makefile.config_gld3 Makefile.config
$ vi Makefile.config

Edit the line like this (appropriate with your ON source extracted location):
ONUTSDIR = /root/Download/opensolaris/usr/src/uts

  • Build and install the driver (in this case I’m using GCC)

$ export PATH=$PATH:/usr/sfw/bin
$ gmake
$ su
# gmake install
# ./adddrv.sh
# dladm show-link
LINK CLASS MTU STATE OVER
myk0 phys 1500 up --

Now you can start your Sun xVM VirtualBox and xVM network bridge is working fine…

Tips Installing Sun Java System Web Server 7.0 on Solaris 10

Sun Java System Web Server (SJSWS) is part of Java Enterprise System Software Stack. It’s one of the most complete featured web server ever. You can deploy Java Web Application, PHP, Ruby on Rails, using this web server.

Combining with Solaris 10, it gives more advantages, like SMF, Solaris Container/Zone, DTrace, etc.

Here are step-by-step installing SJSWS on Solaris 10:

  1. Obtain the software installer from Sun website.
  2. Install the software, you can use GUI or text based easy installer wizard, or silent mode to install automatically on several server boxes.
  3. During installation you can choose to install web server or admin server (and it’s agent) or both.
  4. After installation you can start admin-server and your web-server.
If you install SJSWS 7.0 U2 on Solaris 10 x86 U5, then your admin-server eventually produced core dump files each time it starts. So, to fixing this problem you need to upgrade your JDK, to the newer version. In my case, I updated from 1.5.0.14 to 1.5.0.15. Then, you change the link of /usr/jdk/latest to the newer version.

Installing CSKamp – Coolstack 1.2 – in Local Zone on Solaris 10

Cool Stack is a collection of some of the most commonly used open source applications optimized for the Sun Solaris OS platform. By using these binaries you will enjoy the best levels of performance from your system, while also reducing your time-to-service.

Here are step by step to install CSKamp in Local Zone:

  1. Create sparse zone
  2. Login to that zone
  3. Obtain CSKamp and CSKruntime binary package from here (you need a registered SDN account membership to get it)
  4. bunzip2 the packages
  5. Install CSKruntime
  6. Install CSKamp

Configure and Run PostgreSQL 8.2 in Local Zone – Solaris 10 U4

Solaris 10 U4 is shipped with PostgreSQL 8.2. If you need to enable it, so here are the steps to enable PostgreSQL in local zone on Solaris 10 U4.

  1. Create sparse zone
  2. Login to that zone
  3. Do the following steps to initialize PostgreSQL database:
    • As root su to postgres user:
        # su - postgres
    • Create PostgreSQL DB:
        $ /usr/postgres/8.2/bin/initdb -D /var/postgres/8.2/data
    • As root, use the SMF’s svcadm command to start PostgreSQL
        # /usr/sbin/svcadm enable postgresql:version_82

If you need to enable your PostgreSQL become able to remotes through TCP/IP connection then you need to do the following steps:

  1. Edit /var/postgres/8.2/data/pg_hba.conf
    • Add additional lines that represents your requirements. Follow the instruction and sample inside that file.
  2. Edit /var/postgres/8.2/data/postgresql.conf
    • Edit default value listen_addresses = 'localhost' to become listen_addresses = '*' or to specific host according to your requirements.
  3. Restart your PostgreSQL
    • # /usr/sbin/svcadm restart postgresql:version_82

To test the TCP/IP connection you can use psql command as following:
# psql -h <hostname> -U <database username> -d <database name>