SysAdmin access in Oracle VDI
By Jaap on Jun 08, 2010
The Oracle VDI server software is an integrated stack with a single installer. It installs several components in the Solaris server system such as the vdi-core, the embedded cluster database, the rdp-broker and last but not least, the Sun Ray server software.
After the installation and configuration of your Oracle VDI cluster, the Sun Ray server software is by default configured in kiosk mode policy with Oracle VDI as the standard application. When you connect a Sun Ray DTU device to the network it always displays the standard Desktop Login screen as shown on the left, both for smartcard or non-smartcard access.
When you enter your user credentials you are connected to your assigned virtual desktop. Wherever you are, wherever you go, you are always connected to your own desktop. This is perfect for the end-user, but the System Administrator always has more wishes to connect to the IT-system.
The SysAdmin responsible for the Oracle VDI cluster manages the infrastructure of the virtual desktop platform with the web-based Oracle VDI GUI. With the GUI the SysAdmin manages the following components:
- the connection to the user-directory (such as the Active Directory),
- the connection to the virtualization platforms (Virtual Box or VMware) and the storage infrastructure,
- the assignment of users to desktops,
- the pools where the virtual desktops resides on the platform.
For the more advanced features the SysAdmin has the possibility to access the underlying Solaris system and use CLI-commands or inspect log-files. Most likely, the SysAdmin desktop device or laptop is connected to a management network and he logs into the Oracle VDI server using the SSH-protocol.
I always find it useful to add another access mechanism for the SysAdmin. This is typically needed when you want to support the end-user at his desk in his office and want fast access to the Oracle VDI server to troubleshoot for example. I configure a smart-card which offers me a regular Solaris desktop on the Oracle VDI server (note: this is unsupported for end-users in the VDI model, but IMHO fine for limited use for SysAdmins).
Configuring the smart-card for Solaris access is very easy to do, a few CLI- commands on the Oracle VDI server while your smart-card is inserted in the Sun Ray DTU. First you discover your smart-card tokenID with utsession -l (in my case it is MicroPayflex.500406f700130100), you register the smart-card with utuser -a in the Sun Ray server data-store and then you override the standard smart-card policy with utkioskoverride -s regular for this smart-card tokenID:
# utsession -l Configuration for token ID 'MicroPayflex.500406f700130100': encryptUpType=ARCFOU encryptDownType=ARCFOUR authenticateUpType=DSA authenticateDownType=simple securityMode=hard clientAuthenticationMode=soft clientKeyStatus=unconfirmed clientKeyID=5f368b597f32fd5944229e5a676add14 terminalCIDs=IEEE802.0021281506de # utuser -a "MicroPayflex.500406f700130100,,,jaap," Added one user. # utkioskoverride -s regular -r MicroPayflex.500406f700130100 The session type has been successfully changed. Please note that changes will only take effect the next time a session is started for the specified token # utsession -t MicroPayflex.500406f700130100 -k #
The last CLI-command utsession kills your current Sun Ray session (the one with the Oracle VDI Desktop Login screen) and returns with a regular Solaris Desktop login as shown in the picture below.
The utkioskoverride is a very powerful CLI-command. One of the Sun Ray engineers has written a nice blog about Using different Kiosk Sessions for different tokens. Recommended to read if you need some more flexibility in Kiosk configuration settings.