OSGD on Oracle Technology Network (webcast)

During Oracle Open World 2010 (including JavaOne/Oracle Develop) a interview with John Bondi was recorded. John spoke about the Secure Global Desktop products history, present and future.

One interesting note:

Oracle and the SGD-product history together goes back to 2002, far before the Oracle-Sun merger and even before Sun bought the old Tarantella product.

(The history of Everett and the SGD-product is of the same age :) )





More Desktop Virtualisation presentations from OOW2010 on OTN can be found on the "Think Thin"-blog.

Oracle Secure Global Desktop 4.6 Screenshots

Although Oracle Secure Global Deskop (OSGD) 4.6 is the first Oracle release of the product and Oracle re-branded the Look and Feel, the new release contains some very good innovations. More on these changes (like Automatic Recovery after Array Failover, Dynamic Launch and Dynamic Drive mapping) in later posts. This post contains a few screen shots of OSGD 4.6 to show the new colors.

To start the list of screen shots the Login page:

Login Screen

My personal favorite is the Splash-screen. The screen that looks to control the login-procedure, but in fact it contains a subtle animated-gif. The real work is done in an invisible page on the background.

Splash Screen

And then after login to OSGD the Webtop. The main page of the product for all users, where the user applications can be started/controlled.

OSGD Webtop

There are more screens which have been re-branded, in fact all the screens of both the Webtop and the Web Admin GUI contain the new Look&Feel, but it will be too much for this post to shown them. There is however one small thing to show: The 'new' session names:

New session names

In the former versions the sessions were named like: Session 1, Session 2, etc. Changing these to timestamps make it much easier to identify the sessions :)

Oracle Secure Global Desktop 4.6

As stated in the beginning of this year Oracle has committed to keep Secure Global Desktop alive. With the release of the new Oracle SGD 4.6 they show to not only keep the product, but also continue in the development :)

"The new capabilities delivered in Oracle Secure Global Desktop 4.6 underscore our focus on making applications easier to deploy, manage and support in virtualized datacenter environments."
Wim Coekaerts, senior vice president, Linux and Virtualization Engineering, Oracle

Oracle Secure Global Desktop 4.6 has been released on September 10, 2010 and can be downloaded via the 'old' Sun Download Site.

Documentation of OSGD 4.6 (Oracle document collection):

• Platform Support and Release Notes
• Installation Guide
• Administration Guide
• Gateway Administration Guide
• User Guide

Oracle Secure Global Desktop 4.6 is the latest of many new desktop virtualization products and capabilities recently announced including new releases of Oracle VM VirtualBox, Sun Ray Software and Oracle Virtual Desktop Infrastructure. This demonstrates Oracle’s continued commitment to providing a comprehensive desktop to datacenter portfolio.

Secure Global Desktop stays alive after Oracle Sun merger

On January 27, Sun and Oracle have been merged into one company; Software. Hardware. Complete.

Oracle is continuing the Secure Global Desktop product as part of their virtualization technology group. The product has been placed within the Desktop Virtualization portfolio.

The announcement has made by Edward Screven, Chief Corporate Architect, during his webcast: "Oracle + Sun: Virtualization Strategy".
The sheets of this presentation are down loadable as well.

Good news for everyone working with Sun Secure Global Desktop or should we now refer to the product as Oracle Secure Global Desktop :)

Secure. Global. Desktop. Complete.

Secure Desktop, Going beyond the default security ...

On November 10, 2009 Sun Microsystems Netherlands organized a Sun Desktop Update Seminar for customers and Sun partners. The focus of this seminar was the new enhancement and possibilities of the Sun Desktop products focused on the new versions of Sun Virtual Desktop Infrastructure, Sun Ray Server Software and Sun Secure Global Desktop.

I was one of the speakers of this seminar and gave a presentation on the (new) security aspects and deployment options of Sun Secure Global Desktop.

Download theslides of my presentation:
Secure Desktop, Going beyond the default security ... .

Find here download links to the other presentations.

SSGD modifying Apache and Tomcat for production

Installing and configuring Sun Secure Global Desktop for testing is easy. Most administrators use the same steps to install SSGD on an Acceptance and/or Production environment, but the requirements for a Acceptance/Production environment should be a bit different. When exposing a service to the Internet the service is open for anyone including people with less positive intentoions.

SSGD is secure by design and the security certifications are enough for Intelligence Agencies to use SSGD as their product for remote access to applications.

There are however minor modifications possible for the SSGD web server to enhance the security even more. For instance the default installation of SSGD provides the version and the installed modules of the Apache web server.

It is advisable to check / modify the configuration as described below.

Remove version information from server response header field:
Add the following line in the server config part of httpd.conf. If you don't know where place it below the 'ServerRoot'-directive.

ServerTokens Prod

(file /opt/tarantella/webserver/apache/<version>/conf/httpd.conf)


Remove directory listings of directories without default web-page (apache):
Edit http.conf and for every line starting with 'Option' add the minus sign for 'Indexes'. For example:

change in file /opt/tarantella/webserver/apache/<version>/conf/httpd.conf

Options Indexes FollowSymLinks

to

Options -Indexes FollowSymLinks

Remove directory listings of directories without default web-page (tomcat):
Open file web.xml and look for ' listings'. Set the param-value to false. This setting is correct in some versions of SSGD.

change in file /opt/tarantella/webserver/tomcat/<version>/conf/web.xml

<init-param>
  <param-name>listings<:/param-name>
  <param-value>true<:/param-value>
</init-param>

to

<init-param>
  <param-name>listings<:/param-name>
  <param-value>false<:/param-value>
</init-param>

Remove stack-traces for erroneous jsp-files:
This option is very usefull on production servers when for instance the Look&Feel of the webtop pages has been altered. The simplest way is to show a default error-page for erroneous pages. When the error-page does not exsist Tomcat will return an empty page (hence no java stack traces).
change in file /opt/tarantella/webserver/tomcat/<version>/conf/web.xml

</web-app>

to

<error-page>
  <exception-type>java.lang.Exception</exception-type>
  <location>/internalError.html</location>
</error-page>
</web-app>

For more SSGD Security information (including these options) take a look at the 'Secure Deployment Checklist' at wikis.sun.com. An other good article is: 'HOWTO Secure Access to the Administration Console'.

Just keep in mind connecting any server to the Internet requires good security settings independent on how secure the product is by default.

Login button on logged-out-page not always 'active'

When a users logs out of the SSGD webtop with the logout-button the logged-out-page is shown. The logged-out-page contains a login-button. The login-button is not always 'active' (when clicking on the login-button nothing happens).

When looking into the JSP-code of the logged-out-page the 'activation' of the login-button is based upon the status of the TCC (Tarantella Client Connector/a SSGD-application which displays the applications). When the TCC is still running the login-button is 'activated'. This is a bit strange since logging out of the SGD webtop will stop the TCC.

/opt/tarantella/webserver/tomcat//webapps/sgd/webtops/standard/webtop/logged-out.jsp
I saw a check to 'enable' or 'disable' the login-button. The button is 'enabled' when the TCC is stll running.


A quick fix to always show the link by editing the logged-out-page. Follow these steps:

• Logon to the SSGD server

• Go to the directory:
  /opt/tarantella/webserver/tomcat//webapps/sgd/webtops/standard/webtop

• Edit the file:
  logged-out.jsp

• change line (109 for SGD4.50) from

boolean showLoginLink = (tccStarted != null && tccStarted.equals("true"));

• to

boolean showLoginLink = (tccStarted != null && tccStarted.equals("true"));
showLoginLink = true;

After this change verify the change by logging on to the webtop and log out again to see if the login-button is 'active'.