X

News, tips, partners, and perspectives for Oracle’s virtualization offerings

Installing Secure Cloud Access Solution on-premises or in the Cloud

Jan Hendrik Mangold
SGD Senior Product Manager

Customers are facing challenges to provide remote access to the console, desktop, or application environments in the Cloud or on premises while ensuring privileged user access to data. How do you access the full Linux desktop environment for application or database installation and administration without the pain to set up the VNC access?

Oracle Secure Global Desktop (SGD) is the secure remote access solution for any cloud-hosted enterprise applications and desktops running on Microsoft Windows, Linux, Solaris and mainframe servers, from a wide range of popular client devices.

The easiest way to install SGD on Linux (in a VM or a physical host on Oracle Cloud Infrastructure or on-premises) without the use of a pre-defined template, is to create a Single Host Gateway Deployment as described in this blog post (referenced in the Deployment Guide)

 

The setup described here co-locates the SGD gateway with the SGD server on the same OS instance which has two important caveats:

  1. A colocated setup of SGD gateway and server does not support the formation of SGD arrays
  2. The setup can not be easily reversed

Download SGD

Download SGD 5.3 rpm from here by looking for Oracle Secure Global Desktop and choose the latest version (as of this writing 5.3.0.0.0)

And select the desired Architecture (the rest of the instructions assume Linux)

Preparation and Installation

Prepare your Linux instance by installing a GUI (that step is really only important if you want to be able to launch graphical applications on the SGD server itself, like gnome-terminal or gnome-session).

[root@d7fb76 ~]# yum groupinstall "Server with GUI"

Next install the rpm and start SGD for the first time, which guides you through the setup. On an oracle cloud instance SGD will automatically pick-up the internal hostname. You can continue because we will also install the SGD Gateway in a later step and configure that with the externally reachable FQDN (at this point I want to mention that it probably is a good idea to have a static external IP reservation for your server so you won't have to reconfigure everything after a reboot - on OPC that also applies to the internal IP address and can be achieved by giving your instance a name).

[root@d7fb76 ~]# yum install tta-5.30-914.x86_64.rpm 
[root@d7fb76 ~]# /opt/tarantella/bin/tarantella start 
[root@d7fb76 ~]# /opt/tarantella/bin/tarantella stop --kill

Now that the SGD server has been installed we stop it and install the Gateway. The reason we need to stop SGD is because it uses the same ports (80, 443) as the Gateway.

[root@d7fb76 ~]# cd /opt/tarantella/var/docroot/gateway
[root@d7fb76 ~]# yum install SUNWsgdg-5.30-914.x86_64.rpm
[root@d7fb76 ~]# /opt/SUNWsgdg/bin/gateway setup
# make sure you enter your external FQDN during setup
[root@d7fb76 ~]# /opt/tarantella/bin/tarantella discover gateway --local
[root@d7fb76 ~]# /opt/SUNWsgdg/bin/gateway config enable --routes-http-redirect
[root@d7fb76 ~]# /opt/SUNWsgdg/bin/gateway config enable  --services-reflection-auth
[root@d7fb76 ~]# /opt/SUNWsgdg/bin/gateway start
[root@d7fb76 ~]# /opt/tarantella/bin/tarantella start

Adding a User Profile

At this point you have a running SGD Gateway + Server setup on your instance. Next we will create and configure a local user to login to SGD. This will be a regular Unix user. On Oracle Cloud we can add that user to the ADMINS group, or the group configured to use sudo (check in /etc/group or /etc/sudoers), so this user will be able to sudo without a password. In order to add our new user to multiple groups, separate the group names with comma (,).

[root@d7fb76 ~]# useradd -m -c "SGD Admin User" -G ADMINS sgdadmin
[root@d7fb76 ~]# echo "superSecret" | passwd --stdin sgdadmin

Now we tell SGD about this user and imbue him/her with SGD Admin privileges. The structure dc=com/dc=oraclecloud/dc=compute is arbitrary. The user profile we are creating does not have to match any particular structure

[root@d7fb76 ~]# /opt/tarantella/bin/tarantella object new_dc --name dc=com
[root@d7fb76 ~]# /opt/tarantella/bin/tarantella object new_dc --name dc=com/dc=oraclecloud
[root@d7fb76 ~]# /opt/tarantella/bin/tarantella object new_dc --name dc=com/dc=oraclecloud/dc=compute
[root@d7fb76 ~]# /opt/tarantella/bin/tarantella object new_person \
	--name .../_ens/dc=com/dc=oraclecloud/dc=compute/cn=sgdadmin \
	--user sgdadmin \
	--surname "SGD Admin" \
	--enabled true
[root@d7fb76 ~]# /opt/tarantella/bin/tarantella role add_member \
	--role "o=Tarantella System Objects/cn=Global Administrators" \
	--member .../_ens/dc=com/dc=oraclecloud/dc=compute/cn=sgdadmin
[root@d7fb76 ~]# /opt/tarantella/bin/tarantella role add_link \
	--role "o=Tarantella System Objects/cn=Global Administrators" \
    --link o=applications/cn=Applications

You are ready to login to your SGD server with sgdadmin password superSecret and configure other users, applications and application servers either via the web-based Administration Console, or via the command-line interface /opt/tarantella/bin/tarantella (for certain CLI operations like stopping and starting SGD you need to be root, so use sudo).

Oracle Linux 7 firewalld

Most standard OL7 installations has firewalld installed and running. By default it only allows port 22, so we need to add port 80 and 443

[root@c3763d zones]# systemctl status firewalld
¿ firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2017-05-22 12:23:55 EDT; 55min ago
     Docs: man:firewalld(1)
 Main PID: 1438 (firewalld)
   CGroup: /system.slice/firewalld.service
           ¿¿1438 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
...
[root@c3763d zones]# firewall-cmd --zone=public --add-port=80/tcp --permanent
success
[root@c3763d zones]# firewall-cmd --zone=public --add-port=443/tcp --permanent
success
[root@c3763d zones]# firewall-cmd --reload

FQDN changes

When a server installed with SGD is stopped and started up again, the external Fully Qualified Domain Name (FQDN) might change, in case DHCP is used or the server is running in certain cloud environments without a reserved IP address. You can tell SGD to monitor a change and automatically react to it during startup by setting the value for tarantella.config.server.autorenameonstart to 1

[root@c3763d ~]# grep autorenameonstart /opt/tarantella/var/serverconfig/local/server.properties
tarantella.config.server.autorenameonstart=0
[root@c3763d ~]# /opt/tarantella/bin/tarantella config edit --tarantella-config-server-autorenameonstart 1

Oracle Cloud Security considerations

SGD uses ssh with username/password to connect to application servers. Oracle Cloud instances have ssh with password disabled by default.

Modify sshd_config

To allow password authentication from the internal network you need to modify the /etc/ssh/sshd_config file and restart ssh

/etc/ssh/sshd_config on Linux instances

# adjust address and CIDR based on your network
Match Address 10.0.0.0/8
        PasswordAuthentication yes

/etc/ssh/sshd_config on Solaris instances

# adjust address and CIDR based on your network
Match Address 10.0.0.0/8
        KbdInteractiveAuthentication yes
        PasswordAuthentication yes

Provide the Oracle Cloud registered private key

Alternatively one can provide the private key registered with the IaaS instance during provisioning for the SGD processes used to establish the connection to other application servers. Any X11 connection will be made as user ttasys, so providing the private key in ~ttasys/.ssh/. Once the key is provided SGD still needs to be told as which user to login. This can be accomplished by seeding a pass cache entry. 

In the following example I assume the default user for IaaS is opc, so I add a pass cache entry for the person of sgdadmin for a specific application server (resource). I specify the user (opc) but the password doesn't really matter. In this example I am using a new application server named Oracle Solaris 11.3 I previously created

[root@d7fb76 ~]# /opt/tarantella/bin/tarantella passcache new \
	--person .../_ens/dc=com/dc=oraclecloud/dc=compute/cn=sgdadmin \
	--resource "o=appservers/cn=Oracle Solaris 11.3" \
	--resuser opc \
	--respass "irrelevant"

X11 keyboard mapping

Once you launch a gnome-terminal and have problem with your ~ key, add this to your .bash_profile on the application server. It will modify the X11 keyboard mapping when coming in via SGD

[ -z "${TTA_EXTDNSNAME}" ] || xmodmap -e "keycode 94 = grave asciitilde"

Learn More

For more details on SGD and the new release,  please consult the release notes in the documentation. To get started, you can download the SGD software from Oracle Software Delivery Cloud by following the instructions on Oracle Technology Network.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.