Monday Jul 19, 2010

Using Oracle Virtual Desktop Client with smart card

As you may have discovered, last week Oracle released updates for Sun Ray software and the Oracle Virtual Desktop Client (OVDC) which are described in more detail on the ThinkThin blog.

I wanted to test OVDC with the new smart card functionality to hotdesk my Desktop session between a Sun Ray DTU and the OVDC. But I encountered a small issue when using the smart-card (in fact I was to lazy to read the Release Notes :-)

Before using OVDC you have to enable access for it on the server. This is done automatically if you use the Sun Ray server software as part of the full Oracle VDI stack. But you can also do this manually via the Sun Ray Admin GUI. However, for enabling OVDC access with a smart card this option is not available yet in the Admin GUI. Below I explain what I did in my demo-server infrastructure.

I connected with OVDC on my Windows XP notebook with integrated smart card reader to the patched Sun VDI server and I did get the standard Oracle/Sun VDI Desktop Login screen. When I inserted a smart card in my Windows XP notebook, it connected to the VDI server, but it did not get the Desktop Login screen. Instead, I did get a little icon with a status code 47 in the lower right.

No OVDC Access Icon

On the Sun Ray Wiki you can find a page with SRSS Troubleshooting Icons, where I found that status code 47 means No access for Sun Desktop Access Clients. The Release notes of OVDC helped me to find out that I can enable access for OVDC smart card sessions with the utpolicy CLI-command and the switch -u to specify the policy for card, pseudo or both (resp. smart card session, non-smart card session and both types).

I logged into my Sun VDI (or standalone Sun Ray) server as the root user and I changed the Sun Ray server policy with the following commands:

# First check the current policy on the server
root@vdiserver:# /opt/SUNWut/sbin/utpolicy
# Current Policy:
-a -z both -k both -m -u pseudo

# Change the policy (-u both) to accept card and non-card OVDC sessions
root@vdiserver:# /opt/SUNWut/sbin/utpolicy -a -z both -k both -m -u both

# Restart authentication manager (needed for policy change)
root@vdiserver:# /opt/SUNWut/sbin/utrestart -c
root@vdiserver:# 

After the restart of the Sun Ray Server services and reconnecting OVDC to the server I could hotdesk my Virtual Desktop session between the Sun Ray DTU and the OVDC software client.

Thursday Jul 15, 2010

Updates for Sun Ray Software

A quick note about Sun Ray Software updates already posted in other blogs: my colleague Arjan posted a blog about the Oracle Sun Ray press announcement and on the ThinkThin blog two articles (more technical/functional oriented) about the updates in the Sun Ray Software and a new version of PCSC-lite software.

Tuesday Jun 08, 2010

SysAdmin access in Oracle VDI

The Oracle VDI server software is an integrated stack with a single installer. It installs several components in the Solaris server system such as the vdi-core, the embedded cluster database, the rdp-broker and last but not least, the Sun Ray server software.

Oracle VDI Desktop Login screenAfter the installation and configuration of your Oracle VDI cluster, the Sun Ray server software is by default configured in kiosk mode policy with Oracle VDI as the standard application. When you connect a Sun Ray DTU device to the network it always displays the standard Desktop Login screen as shown on the left, both for smartcard or non-smartcard access.

When you enter your user credentials you are connected to your assigned virtual desktop. Wherever you are, wherever you go, you are always connected to your own desktop. This is perfect for the end-user, but the System Administrator always has more wishes to connect to the IT-system.

The SysAdmin responsible for the Oracle VDI cluster manages the infrastructure of the virtual desktop platform with the web-based Oracle VDI GUI. With the GUI the SysAdmin manages the following components:

  • the connection to the user-directory (such as the Active Directory),
  • the connection to the virtualization platforms (Virtual Box or VMware) and the storage infrastructure,
  • the assignment of users to desktops,
  • the pools where the virtual desktops resides on the platform.

Oracle VDI Web-admin GUI

For the more advanced features the SysAdmin has the possibility to access the underlying Solaris system and use CLI-commands or inspect log-files. Most likely, the SysAdmin desktop device or laptop is connected to a management network and he logs into the Oracle VDI server using the SSH-protocol.

I always find it useful to add another access mechanism for the SysAdmin. This is typically needed when you want to support the end-user at his desk in his office and want fast access to the Oracle VDI server to troubleshoot for example. I configure a smart-card which offers me a regular Solaris desktop on the Oracle VDI server (note: this is unsupported for end-users in the VDI model, but IMHO fine for limited use for SysAdmins).

Configuring the smart-card for Solaris access is very easy to do, a few CLI- commands on the Oracle VDI server while your smart-card is inserted in the Sun Ray DTU. First you discover your smart-card tokenID with utsession -l (in my case it is MicroPayflex.500406f700130100), you register the smart-card with utuser -a in the Sun Ray server data-store and then you override the standard smart-card policy with utkioskoverride -s regular for this smart-card tokenID:

    # utsession -l
      Configuration for token ID 'MicroPayflex.500406f700130100':
      encryptUpType=ARCFOU
      encryptDownType=ARCFOUR
      authenticateUpType=DSA
      authenticateDownType=simple
      securityMode=hard
      clientAuthenticationMode=soft
      clientKeyStatus=unconfirmed
      clientKeyID=5f368b597f32fd5944229e5a676add14
      terminalCIDs=IEEE802.0021281506de
    # utuser -a "MicroPayflex.500406f700130100,,,jaap,"
      Added one user.
    # utkioskoverride -s regular -r MicroPayflex.500406f700130100
      The session type has been successfully changed. Please note that changes
      will only take effect the next time a session is started for the specified
      token
    # utsession -t MicroPayflex.500406f700130100 -k
    # 

The last CLI-command utsession kills your current Sun Ray session (the one with the Oracle VDI Desktop Login screen) and returns with a regular Solaris Desktop login as shown in the picture below.

Solaris Desktop Login screen

The utkioskoverride is a very powerful CLI-command. One of the Sun Ray engineers has written a nice blog about Using different Kiosk Sessions for different tokens. Recommended to read if you need some more flexibility in Kiosk configuration settings.

About

I post here hands-on examples which I have used in my Oracle VDI Desktop Virtualization projects at customers and partners.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today