Friday May 10, 2013

Reduce IT Help Desk calls when using Oracle VDI

Enjoying beach life in the Caribbean or hiking in the rolling hills of Tuscany. Blue skies, great temperatures, wine, fine food and spending some quality time with family and friends. All the great things you can do in the upcoming holiday season.

Is this an introduction for a Travel Blog or a serious article about Desktop Virtualization ? It is the latter, but it has to do with the former: the problem of the forgotten password after returning from the holidays.

What is the problem ?

After a relaxing holiday you turn on your Sun Ray or launch your OVDC application to connect to your virtual desktop in the data center. But then it happens, your holiday was so relaxed that you forgot your password and you are forced to pick-up the phone and call the IT Help Desk to ask the SysAdmin to reset your password.

With the introduction of complex password requirements, this is not an unusual scenario. IT staff is often burdened with resolving these calls, resulting in an increased administrative load for the IT department. At the same moment, the end user loses valuable work time because he is locked out of the network temporarily and unable to work.

With an average of 5% of the users who forgot their passwords after the holidays and an average cost of US $25 per help desk call, this can cost an organisation with 10.000 users around US $12.500 per two or three days when the holidays are over.

How can we solve this ?

Password expiration, forgotten passwords or other user access privileges are addressed by Identity Management systems. There are several solutions on the market and also Oracle has a nice solution which is called the Oracle Identity Manager.

Explaining Identity Management is outside the scope of this article, so I skip that. But with a recently added and less known feature of the Oracle VDI broker (the Helper Function for the Desktop Login Screen) I explain how users are able to connect very easily to any web-based Help Desk system to do a Password Reset for example.

How is it implemented ?

You can add an item to the More Options menu in the Oracle VDI Desktop Login screen to run temporarily an alternative kiosk session. In our Forgotten Password example this might be a kiosk web-browser connecting to the Identity Management system. The picture on the left shows the added entry in the More Options menu.

The Helper Function feature is very easy to implement. First you configure the helper application in the Sun Ray kiosk interface. In my Forgotten Password example I use a Firefox web-browser. I provide kiosk scripts at the bottom of this article ( and helpdesk.conf) which I store in the helpdesk directory. And the second step is to configure the Oracle VDI broker to add the kiosk session as Helper Function in the Desktop Login screen. On all of your Oracle VDI broker servers you should do the following configuration steps:

  • Configure the name of a directory in the /etc/opt/SUNWkio/sessions directory, in my example helpdesk:
     # /opt/SUNWvda/sbin/vda settings-setprops -p client.kiosk.type=helpdesk
  • Configure the label that displays in the More Options menu:
     # /opt/SUNWvda/sbin/vda settings-setprops -p client.kiosk.label="Help Desk"
  • Configure any optional kiosk session arguments and settings that should be used when starting the kiosk session. For my kiosk web-browser it is the URL to the Identity Manager server:
     # /opt/SUNWvda/sbin/vda settings-setprops -p client.kiosk.settings=http://server.url/

In the following video I demonstrate the Forgotten Password use-case scenario. In my demonstration I used the Oracle Identity Manager server (very kindly provided to me by my Oracle colleague Rene Klomp) to reset the password. When the new password is entered in the Identity Manager system, it is automatically synchronized with the Active Directory server that is used by the Oracle VDI broker for user authentication.

Help Desk Kiosk scripts

Here are the kiosk scripts that I used on my Oracle VDI Solaris server. Beware that you have to setup the correct Firefox prototype settings to store in the /etc/opt/SUNWkio/prototypes/default directory. I leave that as exercise for the reader . 

# more /etc/opt/SUNWkio/sessions/helpdesk.conf 
KIOSK_SESSION_LABEL="Helpdesk Kiosk Mode"

# more /etc/opt/SUNWkio/sessions/helpdesk/ #!/bin/sh FF_EXEC=/usr/bin/firefox if [ -z "$1" ] ; then zenity --error --text="No server specified\nConsult your System Administrator" else URL="$1" fi exec /usr/bin/metacity & if [ -x "${FF_EXEC}" ] ; then $FF_EXEC -P Kiosk $URL else zenity --error --text="The Firefox Web-browser is not installed\nConsult your System Administrator" fi

Thursday Mar 28, 2013

Oracle VDI 3.5 Installation notes for Solaris 11.1

Oracle released Oracle VDI 3.5 last week. You may have seen the announcements on the Oracle website, Blogs or social media. In this article I want to share my installation notes of Oracle VDI 3.5 software on the newly supported Solaris 11.1 platform. 

For me, this was also my first Solaris 11 server installation experience and I was happy to find out that installing Solaris 11.1 and Oracle VDI 3.5 was a rather easy activity. On my lab server I used the Solaris 11.1 text-based installation, this is the image for server deployments and during the initial configuration I configured the server with static IP-address, my lab DNS server and DNS domain.

During installation I created the initial user account with username vdiadmin. As you may know you can't login as the super-user root in Solaris 11 and for all the remaining system commands with root-privileges you can use the sudo command (or just change to the root-role with the su command).

Solaris Package Repository

After the basic Solaris 11.1 installation you need to configure the Solaris Support repository. By default only the Release repository is configured. This is important, because Oracle VDI needs more Solaris packages then installed in the standard configuration, the Oracle VDI installer will download the packages automatically from the repository.

Run the below pkg command in Solaris to check the repository, initially it shows you the Release repository:

    # pkg publisher 
    solaris     origin online 

I used the information from the Solaris documentation to configure the online Solaris Support repository. If your server is not connected to the Internet, then you should configure your own, local repository by using the Solaris 11.1 Repository Image

To configure the Solaris Support repository, obtain key and certificate files from Login with your MOS credentials and follow the steps for Solaris 11 support. After you have finished the steps you can verify the changed repository and run a pkg update to install the latest Oracle Solaris 11 Support Repository Update (SRU) and reboot:

    # pkg publisher
    solaris     origin  online
    # sudo pkg update 
    # sudo init 6

Oracle VDI Installation Process

If you download the Oracle VDI 3.5 software package, you should pay attention to download the correct installation zip-file. There is now a difference between Solaris 10 and Solaris 11 installation zip-files. 

After unpacking the VDI 3.5 installation zip-files, I decided to run vda-install and vda-config separately:

    # sudo ./vda-install -i

The installer starts to check the required libraries and packages in Solaris 11.1. In my case (text-based Solaris 11.1 installation) it needed to download about 600 MB of data from the Solaris 11 repository. After the download and installation of the packages, the Oracle VDI installer automatically continues with the basic Oracle VDI installation.

Depending on your network connection, downloading 600 MB of Solaris packages takes some time. You may monitor the process by viewing the installation log file (in a separate Terminal window) for information about the progress of downloading and installing the packages.

    # tail -f  /var/sadm/install/logs/vda-install.timestamp.log

I decided to do a reboot when vda-install was finished because of all the newly installed packages. I'm not sure if this is really necessary. After the reboot I continued with the vda-config command to start the configuration of my single-node Oracle VDI server. In the configuration settings I used my initial user vdiadmin as VDI Administrator:

    # sudo /opt/SUNWvda/sbin/vda-config
    Review the settings for a new Oracle VDI Center:
       Name: VDI Center
       Administrator Password: ********
       VDI Administrator (super-user): vdiadmin
       DNS name of this host: ovdi-host20.ovdi.local
       Maximum number of sessions on this host: 100
       User ID range start: 150000
       Database: Embedded Oracle VDI
    Do you want to create the Oracle VDI Center now?
    Enter 'c' to customize the settings. ([y]/c):


Virtual Box Installation Process

Because of the changes in Solaris 11 for the root-role, I decided to configure the Virtual Box processes under non-root privileges: you can use your standard user ('vdiadmin' in my case). 

Because of the non-root priviliges, you are also forced to configure a non-privileged TCP port for the Virtual Box web-service. I used the TCP port that was suggested by the installer:

    # sudo ./vb-install 
    Oracle VM VirtualBox Installation for Solaris
    Unpacking Oracle VM VirtualBox package.
    Select an existing user for VirtualBox: vdiadmin
    Enter the password for user 'vdiadmin': #########

    Specify the VirtualBox SSL port [18083]: 18083
    Oracle VM VirtualBox 4.2.10 Installation
    + Installing Oracle VM VirtualBox Core
    ...etc etc....


Connect to the Oracle VDI Manager

If you connect with Firefox to the Oracle VDI Manager for the first time, you got the following error message on the secure port of the VDI Manager:

This error is mentioned in the Oracle VDI 3.5 Release Notes. Oracle Solaris 11 uses Transport Layer Security (TLS) version 1.1, which Firefox does not support yet. The workaround is to connect and authenticate with TLS 1.0 disabled in Firefox preferences:

    Advanced -> Encryption, unchecked Use TLS 1.0.


Some Closing Remarks

  • NTP services: works exactly the same as with Solaris 10, just make sure /etc/inet/ntp.conf has the right server settings before you start configuring Oracle VDI.
  • Kerberos: also works the same as Solaris 10. I used copied my /etc/krb/krb5.conf configuration file from Solaris 10 without any changes.
  • I also did another Solaris 11.1 installation where I used the Oracle Solaris 11.1 Live Media for x86, that also worked fine. I only had some difficulties changing IP-address from DHCP to static. Just read the documentation or Google to use the right procedure.

Tuesday Dec 20, 2011

Oracle Virtual Desktop Client for iPad 1.1 is released

In the iPad App Store you will find a new release of the Oracle Virtual Desktop Client for iPad. This is version 1.1 of the client and when you installed the App already on your iPad it automatically announces itself in the Updates section.

With OVDC for iPad you can connect from the iPad to your hosted virtual desktop in the data-center infrastructure. See my blog article OVDC for iPad in action with an explanation and sample use-cases.

The improvements in the new release (as documented in the OTN documentation website) are focused around user experience:

  • External Keyboard Support: you can use an Apple Wireless Keyboard or Apple iPad Keyboard Dock as an external keyboard.
  • Improved On-Screen Keyboard Language Support: users can now configure international languages for the on-screen keyboard. See the release notes for the supported languages.
  • New on-screen button icons: enable you to quickly display the on-screen keyboard and the Oracle Virtual Desktop Client side bar. The button icons provide an alternative to using gestures.
  • iPad Settings: the iPad Settings app now includes a section called Virtual Desktop. Here you can configure settings for Oracle Virtual Desktop Client, such as the language used for the on-screen keyboard and whether to display button icons for the side bar and keyboard.
  • New Gesture: a new gesture has been introduced that emulates the middle scroll wheel on a mouse. To use the scroll gesture, drag upwards or downwards with two fingers.

After I installed the update and connected to a remote server, the on-screen keyboard immediately displayed automatically. This is a change with the previous version where you first had to use the three finger gesture to display the on-screen keyboard before you could enter the user-credentials.

I also played with changing the keyboard language. You set the primary keyboard country and OVDC will send the keyboard country code to the remote server where the virtual desktops are hosted. This is done in the iPad Settings app, in the Virtual Desktop section.

OVDC for iPad Keyboard Language

Check also that the language you select for the primary keyboard country is present in the list of supported keyboards on the General, International, Keyboards page in iPad Settings. If the keyboard language is not present in this list, add the language.

In the sample screenshot you can see that I added four languages to my list, when you press the Globe key you can select the language that matches your primary keyboard country. I tested the French AZERTY layout and changed it to my preferred US layout.

Tuesday Jul 19, 2011

Oracle Virtual Desktop Client on iPad in action

You may have seen the product announcements two weeks ago for Oracle Virtual Desktop Client (OVDC) for iPad and the new release of Oracle VDI 3.3.

With OVDC for iPad you can connect from the iPad to your virtual desktop in the data-centre. This could be done from the local LAN (when moving between different office spaces or meeting rooms) or from any place connected to the Internet using the features for security with VPN support.

The key-point in using OVDC on the iPad (when you are on the move) is a quick look to secured and protected data, for example through business applications in your company or accessing patient records in a healthcare organization. Instead of using multiple iPad apps (with or without built-in security features) you only have a single OVDC app to access your desktop or applications infrastructure in the data centre.

The past two weeks I used the iPad in several circumstances to connect to the virtual desktop in the data centre. I used both private and public WiFi networks and also a 3G connection through a mobile phone (tethering). I was very surprised about the network performance of OVDC on the iPad, the efficient ALP protocol enabled me to work on a remote desktop over a 3G connection.

Last week I also installed and configured the VDI 3.3 software on my demo server and I thought about iPad use-cases to demonstrate during my customer presentations. During a demo of the Sun Ray and Oracle VDI technology I always see some great moments of enthusiasm when customers understand how they can use this cool technology to relieve from their daily struggle with IT infrastructures.

With the OVDC for iPad there is another great moment of enthusiasm introduced during the demo and I captured some of the iPad use-case scenario's of my demo in the below video.

This video demonstrates the following scenario's:

  • Launching OVDC on iPad (0:08)
  • Connect to Oracle VDI server (0:26)
  • Firefox in Windows 7 session (0:42)
  • Open Office presentation in Windows 7 (1:16)
  • VoIP (Skype) in Windows 7 (1:59)
  • Using Text editor in Windows XP (3:26)
Some pieces of the video are blurred, my camera had some focus problems.

Tuesday May 10, 2011

Sun Ray Software 5.2 Released

Today, Oracle released a new version of Sun Ray Server software. This new version 5.2 contains some significant changes and is a further step in the integration to a full Oracle product.

The documentation is not anymore on the good old Sun Wikis website, it is migrated to the Oracle documentation system and available as pdf documents. Like the previous version, the software bundle can be downloaded from the Oracle edelivery website, I used this entry point to edelivery.

Things have also changed for System Administrators. The Sun Ray Webadmin GUI is changed to the Oracle look-and-feel (which we already know from the Oracle VDI software).

Sun Ray Server WebAdmin GUI

A second change for the SysAdmin is the single installer (the utsetup command) that installs the entire Sun Ray Software product on the Sun Ray server. It installs the Sun Ray server, the Windows connector, the VMware View connector and the smart card services (based on PC/SC-lite). After installing the packages, the utsetup command steps through the configuration process. A reboot of the Sun Ray server between installation of the packages and configuration of the Sun Ray server is not necessary anymore.

The utsetup command also has a feature to automate the Sun Ray server installation and configuration process. With a response-file created during your first utsetup run, you can clone the Sun Ray server setup on other servers.

Another change important for the SysAdmin is the Firmware provisioning process. In previous versions, there were two versions of the firmware delivered: non-GUI firmware and a GUI firmware. In this release, there is one firmware version and the GUI must be enabled through configuration. 

 Other changes visible for the end-user are (see also the Release Notes):

  • Improved performance for video and audio streams on Windows XP and Windows 2003
  • Audio optimization which helps for reduced bandwidth and increased scalability
  • USB headset support for a specific list of USB headsets.
  • Better multi-monitor support and enhancements for VPN and Networking.

The Sun Ray Server software is supported on the following operating systems platforms:

  • Solaris 10 5/09 or later on SPARC and x86 platforms
  • Solaris 10 5/09 or later on SPARC and x86 platforms with Solaris Trusted Extensions
  • Oracle Linux 5.5 (32-bit and 64-bit)
  • Oracle Linux 5.6 (32-bit and 64-bit)
See the Installation and Configuration Guide for the support statement for Red Hat servers and additional software requirements. 

Thursday Aug 19, 2010

Use a different Kiosk session in Oracle VDI

Today I was preparing a customer project on my test server to run a different application (then the default Oracle VDI desktop) on some special Sun Ray DTUs. In a recent post I wrote about configuring Opera as a Sun Ray Webkiosk browser and this was the application we wanted to run on the special DTUs (for a reception area). In this article I explain how to configure this for the Webkiosk browser, but the scenario is the same for every application you have in mind for a kiosk session.

There are multiple ways to configure different kiosk applications in the Oracle VDI server environment:

  1. Write your own Kiosk Mode scripts. The Think Thin Blog is a very good source to get your inspiration,
  2. Use the Meta Kiosk add-on developed by Daniel Cifuentes,
  3. Use the standard Kiosk Mode interface as described in Jörg's Desktop Blog.

I decided to use method three, it is a less known feature in the Sun Ray Server software (which is embedded in the Oracle VDI software), easy to configure via the CLI (unfortunately it is not yet integrated in the GUI) and you do not need to write a shell-script to control the multiple applications Kiosk Mode logic.

To refresh your mind from the earlier blog post about Opera: you need to install the Opera web-browser on your Oracle VDI servers and you need to store the kiosk description file and launcher in the directory /etc/opt/SUNWkio/sessions.

When this is done you let the Oracle VDI server know that for a pre-determined number of Sun Ray DTUs you do not want to use the default (Oracle VDI) kiosk session, but the alternative Opera Webkiosk session (or any session that you have in mind as alternative). This is a three step process:

1. First you have to store the Opera browser kiosk session configuration in the Sun Ray server data store. You have to create a little configuration file and use this file to store the information in the data store. After this is done you check if it is stored together with the default session

    # I have created the WebkioskSession.conf with an editor.
    root@vdiserver:# cat WebkioskSession.conf
    root@vdiserver:# utkiosk -i WebkioskSession -f WebkioskSession.conf
    root@vdiserver:# utkiosk -l

2. Then you register the token of the device (e.g. pseudo.00144f5787d1) or the token of a smart-card. Adding a name to the registration is mandatory, I use dummy01 as a not existing username.

    root@vdiserver:# utuser -a "pseudo.00144f5787d1,,,dummy01,"

3. In the last step you override the default kiosk configuration by the alternative and restart the session by killing the current session for that token. 

    root@vdiserver:# utkioskoverride -r pseudo.00144f5787d1 -s kiosk -c WebkioskSession
    root@vdiserver:# utsession -k -t pseudo.00144f5787d1

If you have multiple tokens (for example 20 Sun Ray DTUs in your reception area), then step two and three are very easy to script in a shell command or shell script. I let this to the user as this is out-of-scope for this article.

Wednesday Aug 11, 2010

Change default Desktop Login Language in Oracle VDI 3.2

One of the new features in the recently released Oracle VDI 3.2 software is the addition of the Dutch language in the Oracle VDI Desktop Login screen. In this article I explain how to change the default Desktop Login language to your preferred language (I use Dutch in the examples, because I live in the Netherlands ;-) 

As soon as you connect with your Sun Ray DTU or Oracle Virtual Desktop Client (OVDC) to the Oracle VDI server you get the standard Desktop Login window. Most of the time, this window defaults to the English language (see the below picture). Through the "More Options, Language" drop-down menu you see a list of supported languages. With a few simple steps you can change the default language of the Desktop Login to your preferred language.

Oracle VDI Desktop Login Window in English Language

The Desktop Login window is launched by the Kiosk interface scripts. This is the glue between the embedded Sun Ray server software and the Oracle VDI broker software. The Kiosk interface scripts determines the language setting for the Desktop Login window through the underlying operating system. In our Solaris 10 Oracle VDI server this is done with the locale parameters.

During the Solaris 10 Operating System installation, the English version of Solaris is installed by default. Most likely you only provided information about the timezone of your server and not the information for your geographic regions and software localizations. On the Sun Developers Network website you can check a list with locale settings in the Solaris Locale Chart. To use the Dutch language in the Oracle VDI Desktop Login we need the nl_NL locale which is part of the Western European Region (WEU) in Solaris 10.

Follow the next four steps to configure your preferred language for the Oracle VDI Desktop Login window:

1. Check the installed locales on your Oracle VDI server with the following CLI-commands:

  # First check the current locales on the server (in this case it is the default)
  root@server:# locale -a

  # Or check if the Dutch locales are installed on your server
  root@server:# locale -a | grep nl

2. If your locale exists go to step 3, otherwise load your preferred locale from the Solaris 10 installation media (the Solaris 10 installation DVD or the downloaded Solaris 10 iso-file):

  # Insert Solaris 10 DVD in your drive, it will be automounted under /cdrom
  # In my example we install the nl_NL locale
  root@server:# localeadm -a nl_NL -d /cdrom/sol_10_1009_x86/

  # Use the following CLI-commands if you installed from an iso file
  # Find your iso file (in my case /stage) and mount the iso into a directory /mnt
  root@server:# mount -F hsfs -o ro `lofiadm -a /stage/sol-10-u8-ga-x86-dvd.iso` /mnt
  root@server:# localeadm -a nl_NL -d /mnt
  root@server:# umount /mnt; lofiadm -d /dev/lofi/1

3. Configure the locale in the Sun Ray Kiosk general properties settings:

  • Go to the Sun Ray sever Admin GUI (https://server:1661/) and login with root/passwd
  • Select Tab Advanced, sub-Tab Kiosk Mode and select Edit to change the properties for the Oracle Virtual Desktop Infrastructure session type. 
  • In the Locale property configure your preferred locale as shown in the below picture and save the properties

SRSS Admin GUI, Kiosk Mode properties

4. Restart your DTU session to show the new Desktop Login Language setting:

  • You can do this by selecting Quit in the Desktop Login window, or
  • You can do this with the key sequence CTRL-ALT-BS-BS.
If all went well you will see the Oracle VDI Desktop Login window in your preferred language. The below picture shows the Desktop Login window for the Dutch language.

Oracle VDI Dutch Desktop Login window

Monday Jul 19, 2010

Using Oracle Virtual Desktop Client with smart card

As you may have discovered, last week Oracle released updates for Sun Ray software and the Oracle Virtual Desktop Client (OVDC) which are described in more detail on the ThinkThin blog.

I wanted to test OVDC with the new smart card functionality to hotdesk my Desktop session between a Sun Ray DTU and the OVDC. But I encountered a small issue when using the smart-card (in fact I was to lazy to read the Release Notes :-)

Before using OVDC you have to enable access for it on the server. This is done automatically if you use the Sun Ray server software as part of the full Oracle VDI stack. But you can also do this manually via the Sun Ray Admin GUI. However, for enabling OVDC access with a smart card this option is not available yet in the Admin GUI. Below I explain what I did in my demo-server infrastructure.

I connected with OVDC on my Windows XP notebook with integrated smart card reader to the patched Sun VDI server and I did get the standard Oracle/Sun VDI Desktop Login screen. When I inserted a smart card in my Windows XP notebook, it connected to the VDI server, but it did not get the Desktop Login screen. Instead, I did get a little icon with a status code 47 in the lower right.

No OVDC Access Icon

On the Sun Ray Wiki you can find a page with SRSS Troubleshooting Icons, where I found that status code 47 means No access for Sun Desktop Access Clients. The Release notes of OVDC helped me to find out that I can enable access for OVDC smart card sessions with the utpolicy CLI-command and the switch -u to specify the policy for card, pseudo or both (resp. smart card session, non-smart card session and both types).

I logged into my Sun VDI (or standalone Sun Ray) server as the root user and I changed the Sun Ray server policy with the following commands:

# First check the current policy on the server
root@vdiserver:# /opt/SUNWut/sbin/utpolicy
# Current Policy:
-a -z both -k both -m -u pseudo

# Change the policy (-u both) to accept card and non-card OVDC sessions
root@vdiserver:# /opt/SUNWut/sbin/utpolicy -a -z both -k both -m -u both

# Restart authentication manager (needed for policy change)
root@vdiserver:# /opt/SUNWut/sbin/utrestart -c

After the restart of the Sun Ray Server services and reconnecting OVDC to the server I could hotdesk my Virtual Desktop session between the Sun Ray DTU and the OVDC software client.


I post here hands-on examples which I have used in my Oracle VDI Desktop Virtualization projects at customers and partners.


« February 2017