These release notes contain important information about Sun Secure Global Desktop Software version 4.3, including system requirements, new features and enhancements, and known limitations and problems. Read this document before you install and use this release.
Part Number: 819-6253
| Version | Description |
|---|---|
| January 2007 | Microsoft Windows Vista is now supported as a client platform. Additional known issues. |
| December 2006 | Additional known issue with SecurID authentication. |
| November 2006 | Added details of smart card support, additional known bugs and corrections to the documentation. |
| November 2006 | Additional known bugs and list of bug fixes. |
| October 2006 | Additional known bugs and updated support for Certificate Authorities. |
| September 2006 | First released version of release notes. |
| June 2006 | Beta release. |
This section describes the system requirements for Sun Secure Global Desktop Software 4.3. It has the following sections:
Use the following hardware requirements as a guide and not as an exact sizing tool. For detailed help with hardware requirements, contact a Sun Secure Global Desktop Software sales office.
The requirements for a server hosting Secure Global Desktop can be calculated based on the total of the following:
The following are the requirements for installing and running Secure Global Desktop:
Note This is in addition to what is required for the operating system itself and assumes the server will be used only for Secure Global Desktop.
The following are the requirements to support users who log in to Secure Global Desktop and run applications. The actual CPU and memory requirements can vary significantly depending on the applications used:
The following are the supported installation platforms for Sun Secure Global Desktop Software 4.3:
| Operating System | Supported Versions |
|---|---|
| Solaris™ Operating System (Solaris OS) on SPARC platforms | 8, 9, 10 |
| Solaris OS on x86 platforms | 10 |
| Red Hat Enterprise Linux (Intel x86 32-bit) | 3, 4 |
| Fedora Linux (Intel x86 32-bit) | Core 5 |
| SUSE Linux Enterprise Server (Intel x86 32-bit) | 9, 10 |
You may have to make some operating system modifications.
You must make the following operating system modifications to the host before you install Secure Global Desktop. Without these modifications the software may not install properly or operate correctly.
Make sure you allocate swap that is at least twice the size of physical memory. So if you have 1GB RAM, increase your swap to 2GB.
Secure Global Desktop will not install if the libXp.so.6 library
is not available on the host. This library was deprecated in Fedora Core 3.
However the file is still available in the libXp package.
The libXm.so.3 library is required to support 5250 and 3270 applications. The library is available in the OpenMotif 2.2 package. The absence of this file no longer causes the installation to fail.
Secure Global Desktop will not install if the libgdbm.so.2 library is not available on the host. SUSE Linux Enterprise Server 9 with Service Pack 2 contains version 3 of the library by default. You must obtain and install version 2 of the library before installing Secure Global Desktop.
Secure Global Desktop will not install if the libgdbm.so.2 and libexpat.so.0 libraries are not available on the host. SUSE Linux Enterprise Server 10 contains version 3 and version 1 of these libraries by default. You must obtain and install the required version of these libraries before installing Secure Global Desktop.
Solaris OS comes in the following distributions: Core, End User, Development and Entire Distribution. You must install at least the End User distribution to get the necessary libraries required by Secure Global Desktop. If you do not, Secure Global Desktop will not install.
You should install the appropriate patches for your Solaris OS version. These are available from the SunSolve Online.
Note The patches recommended by Sun Microsystems for Solaris OS may not apply to Siemens Solaris-based systems. For information about which patches to install on these systems, refer to your Siemens contact or the Siemens web site.
Secure Global Desktop requires the /usr/lib/libsendfile.so library.
If this library is missing, Secure Global Desktop will not install. This library may be included with your
SUNWcsl (Core Solaris Libraries) package or you may have to apply patch 111297-01 (available from the
SunSolve Online) to get it.
You will not be able to log in to Secure Global Desktop on Solaris 8 OS platforms if the host does not have the /dev/random pseudo device. You must install patch 112438-03 to obtain this device.
Each emulator session requires one pseudo-tty. For example, 50 users running 10 applications each on one application server requires 500 pseudo-ttys.
To set the number of pseudo-ttys, first back up your /etc/system file. Then edit
the file and add the following line:
set pt_cnt=limit
where
limit
is the number of pseudo-ttys you require.
To create the new devices, reboot with the -r option.
See SunSolve Online for advice on increasing pseudo-ttys.
A web server is an essential part of a working Secure Global Desktop installation. Secure Global Desktop includes a web server, the Secure Global Desktop Web Server, that is pre-configured for use with Secure Global Desktop. The Secure Global Desktop Web Server consists of the following components:
| Component | Version |
|---|---|
| Apache HTTP Server | 1.3.36 |
| mod_ssl | 2.8.27 |
| OpenSSL | 0.9.8d |
| mod_jk | 1.2.15 |
| Apache Jakarta Tomcat | 5.0.28 |
| Apache Axis | 1.2 |
The Secure Global Desktop Web Server is installed when you install Secure Global Desktop. However, you can use your own web server with Secure Global Desktop if you want. How you do this is described in the Secure Global Desktop Administration Guide.
You must configure your network for use with Secure Global Desktop:
The Secure Global Desktop Administration Guide has detailed information about the ports used by Secure Global Desktop and how to use Secure Global Desktop with firewalls.
Secure Global Desktop supports the following protocols:
Secure Global Desktop supports secure connections from clients using the following protocols:
The following encryption cipher suites are supported:
Note the Java technology client does not support any AES cipher suites.
Secure Global Desktop supports Base 64-encoded PEM-format X.509 certificates that have been signed with any of the following Certificate Authority (CA) certificates (root certificates):
Additional certificate types can be supported by installing the CA's certificate (the root certificate) for that CA.
To use Secure Global Desktop with a proxy server, the proxy server must support tunneling.
For the browser-based webtop, you can use HTTP, Secure (SSL) or SOCKS v5 proxy servers.
For the classic webtop, the Java technology clients can use HTTP, Secure (SSL) or SOCKS v5 proxy servers. For the Native Clients, you can only use HTTP and SOCKS v5 proxy servers.
For SOCKS v5 proxy servers, Secure Global Desktop supports the Basic and No authentication required authentication methods. No server-side configuration is required.
Secure Global Desktop supports the following mechanisms for authenticating users:
Secure Global Desktop works with versions 4, 5 and 6 of the RSA ACE/Server.
SecurID authentication is not supported on Solaris OS on x86 platforms.
As Secure Global Desktop supports version 3 of the standard LDAP protocol, you should be able to use the LDAP login authority and the LDAP search methods for classic web server authentication and third-party authentication with any LDAP version 3-compliant directory server. Secure Global Desktop supports this functionality on the following directory servers:
Other directory servers may work, but are not supported.
The Active Directory login authority is only supported on Microsoft Active Directory.
The Directory Services Integration (sometimes known as webtop generation) functionality is supported on:
Other directory servers may work, but are not supported.
You can use Secure Global Desktop to access the following types of applications:
The Sun Secure Global Desktop Enhancement Module is software component that can be installed on an application server to provide the following additional functionality to Secure Global Desktop:
The following are the supported installation platforms for the Enhancement Module:
| Operating System | Supported Versions |
|---|---|
| Microsoft Windows | Windows Server 2003 Windows 2000 Server Microsoft Windows XP Professional |
| Solaris OS on SPARC platforms | 8, 9, 10 |
| Solaris OS on x86 platforms | 10 |
| Red Hat Enterprise Linux (Intel x86 32-bit) | 3, 4 |
| Fedora Linux (Intel x86 32-bit) | Core 5 |
| SUSE Linux Enterprise Server (Intel x86 32-bit) | 9, 10 |
On Microsoft Windows XP Professional platforms, only client drive mapping is supported. Seamless windows and advanced load balancing are not supported.
Secure Global Desktop supports printing to PostScript, PCL and text only printers attached to the user's client device.
The Secure Global Desktop tta_print_converter script performs any conversion needed to format print jobs correctly for the client printer. To convert from Postscript to PCL, Ghostscript must be installed on the Secure Global Desktop server.
To support Secure Global Desktop PDF printing, Ghostscript version 6.52 or later must installed on the Secure Global Desktop server. The Ghostscript distribution must include the ps2pdf program.
Secure Global Desktop supports printing with the Common Unix Printing System (CUPS). CUPS version 1.1.19 or later must be installed on the Secure Global Desktop server. Additional configuration is required.
When printing from a windows application that uses the Microsoft RDP protocol, Secure Global Desktop supports the printers supported by Windows 2000/2003. See the Windows Printer Driver Support page for details of supported printers.
Secure Global Desktop allows users to access a smart card reader attached to their client device from applications running on a Windows Server 2003 application server. Users can:
Secure Global Desktop should work with any Personal Computer/Smart Card (PC/SC)-compliant smart card and reader.
Logging on to a Windows Server 2003 application server using a smart card has been tested successfully with the following smart cards:
| Client Operating System and Libraries | Smart Card |
|---|---|
| Microsoft Windows 2000 and XP Professional | ActivCard 64K CryptoFlex 32K GemPlus GPK16000 |
| Solaris OS with Sun Ray PC/SC Bypass package (SUNWsrcbp) | ActivCard 64K CryptoFlex 32K |
| Fedora Linux with pcsc-lite 1.2.0 | ActivCard 64K CryptoFlex 32K GemPlus GPK16000 |
To access Secure Global Desktop (at http://server.example.com/sgd), you need the Secure Global Desktop Client and a supported web browser.
The Secure Global Desktop Client can operate in two modes:
The following table lists the supported client platforms, the supported web browsers, and the supported desktop menu systems when the Client is in integrated mode:
| Supported Client Platform | Supported Web Browsers | Integrated Mode Support |
|---|---|---|
| Microsoft Windows Vista Business | Internet Explorer 7.0+ Mozilla Firefox 2.0+ |
Microsoft Windows Start Menu |
| Microsoft Windows XP Professional | Internet Explorer 6.0+
Netscape 6.0+ Mozilla (including Firefox) 1.4+ |
Microsoft Windows Start Menu |
| Microsoft Windows 2000 Professional | Internet Explorer 6.0+
Netscape 6.0+ Mozilla (including Firefox) 1.4+ |
Microsoft Windows Start Menu |
| Solaris 8+ OS on SPARC platforms | Netscape 6.0+
Mozilla (including Firefox) 1.4+ |
Sun Java Desktop System Start Menu |
| Solaris 10 OS on x86 platforms | Netscape 6.0+
Mozilla (including Firefox) 1.4+ |
Sun Java Desktop System Start Menu |
| Mac OS X 10.4+ | Safari 2.0+ | Not supported |
| Red Hat Enterprise Linux (Intel x86 32-bit) 3, 4 | Netscape 6.0+
Mozilla (including Firefox) 1.4+ |
Gnome or KDE Start Menu |
| Fedora Linux (Intel x86 32-bit) Core 5 | Netscape 6.0+
Mozilla (including Firefox) 1.4+ |
Gnome or KDE Start Menu |
| Fedora Linux (x86_64) Core 5 | Netscape 6.0+
Mozilla (including Firefox) 1.4+ |
Gnome or KDE Start Menu |
| SUSE Linux Enterprise Server (Intel x86 32-bit) 8, 9 | Netscape 6.0+
Mozilla (including Firefox) 1.4+ |
Gnome or KDE Start Menu |
| Red Hat Desktop version 3.0 | Netscape 6.0+
Mozilla (including Firefox) 1.4+ |
Gnome or KDE Start Menu |
| SUSE Linux 9.1 Personal Desktop | Netscape 6.0+
Mozilla (including Firefox) 1.4+ |
Gnome or KDE Start Menu |
For x86_64 platforms, only 32-bit versions of web browsers are supported.
Beta versions or preview releases of web browsers are not supported.
To support the following functionality, the web browser must have Java technology enabled:
The following are the supported Plug-ins for Java technology:
For best results, client devices must be configured for at least 256 colors.
Serial port mapping is only supported on Unix, Linux and Windows platforms.
To use the classic webtop (at http://server.example.com/tarantella) you need either the Sun Secure Global Desktop Native Client or the Java technology client running in a web browser.
The following table lists the supported client platforms and the supported web browsers and Native Clients for those platforms.
| Supported Client Platform | Supported Web Browsers | Supported Native Client |
|---|---|---|
| Microsoft Windows XP Professional | Internet Explorer 6.0+
Netscape 6.0+ Mozilla (including Firefox) 1.4+ |
Native Client for Microsoft Windows |
| Microsoft Windows 2000 Professional | Internet Explorer 6.0+
Netscape 6.0+ Mozilla (including Firefox) 1.4+ |
Native Client for Microsoft Windows |
| Solaris 8+ OS on SPARC platforms | Netscape 6.0+
Mozilla (including Firefox) 1.4+ |
Native Client for UNIX |
| Solaris 10 OS on x86 platforms | Netscape 6.0+
Mozilla (including Firefox) 1.4+ |
Native Client for UNIX |
| Mac OS X 10.4+ | Native Client for Mac OS X | |
| Red Hat Enterprise Linux (Intel x86 32-bit) 3, 4 | Netscape 6.0+
Mozilla (including Firefox) 1.4+ |
Native Client for Linux |
| Fedora Linux (Intel x86 32-bit) Core 5 | Netscape 6.0+
Mozilla (including Firefox) 1.4+ |
Native Client for Linux |
| SUSE Linux Enterprise Server (Intel x86 32-bit) 8, 9 | Netscape 6.0+
Mozilla (including Firefox) 1.4+ |
Native Client for Linux |
| Red Hat Desktop version 3.0 | Netscape 6.0+
Mozilla (including Firefox) 1.4+ |
Native Client for Linux |
| SUSE Linux 9.1 Personal Desktop | Netscape 6.0+
Mozilla (including Firefox) 1.4+ |
Native Client for Linux |
Beta versions or preview releases of web browsers are not supported.
A supported web browser must have Java technology enabled. The following are the supported Plug-ins for Java technology:
Because of changes to security in Secure Global Desktop version 4.0, you cannot use the version 4.x Native Clients or Java clients to connect to a version 3.x Secure Global Desktop server. You must use a version 3.x client instead.
For best results, client devices must be configured for at least 256 colors.
The Native Clients and Java technology clients are no longer being actively developed, but they are still supported. Support for these client types will cease in a future release of Secure Global Desktop. The following lists the limitations of these client types:
The new features of Sun Secure Global Desktop Software 4.3 are:
The Secure Global Desktop Client can now operate in either of the following modes: Webtop mode and Integrated mode.
Note Integrated mode is the recommended mode if your organization prefers not to use Java™ technology on the client device. Integrated mode is not available for the classic webtop.
To use Integrated mode, the user must log in to Secure Global Desktop by clicking the Login link on their desktop Start Menu. Integrated mode is not available if you start a web browser and log in.
Working in integrated mode simplifies session management. Unlike the webtop, there are no controls for suspending and resuming applications. Instead, when the user logs out, the Client automatically suspends or ends all running emulator sessions. When the user logs in again, the Client automatically resumes all suspended sessions.
Printing is simplified too, printing is always "on" and print jobs go straight to the printer the user selected. Unlike the webtop, print jobs cannot be managed individually.
If the user needs to display a webtop, for example to resume a suspended application or manage printing, they can click the Webtop link on the Start Menu. The webtop is displayed in their default web browser.
If the user has arranged any of their webtop content to display in groups, those groups are also used in the Start Menu. If the group is configured to hide webtop content, the content does not display in the Start Menu.
To log out of Secure Global Desktop, the user clicks the Logout link on the Start Menu.
For details of which desktop systems can be used in integrated mode, see Platform Support for the Secure Global Desktop Client.
It is now possible to configure the Secure Global Desktop Client so that it starts automatically when a user logs in to their client device. The Client can also cache an authentication token that allows a user to start a webtop session automatically without having to log in manually. When the Client is configured in this way, users experience the benefits of a single sign-on.
Automatic login is achieved through a new authentication token login authority (ATLA). If the Client presents a valid authentication token, the user is automatically authenticated to Secure Global Desktop. To generate an authentication token, users must perform an initial log in using a web browser and then manually generate the authentication token by editing their profile. A separate token is needed for each Secure Global Desktop server the user connects to.
The desktop Start Menu and single sign-on features mean that the Secure Global Desktop Client requires some configuration to be able to connect to Secure Global Desktop. Not only that, different configurations may be needed in different situations, for example because the user is in the office or working at home. To be able to manage multiple Client configurations, this release introduces profiles as the method for storing a group of Client settings. Each profile allows you to configure the following:
Secure Global Desktop Administrators have full control over the creation of profiles. On an Administrator's webtop there is a new administration tool, Profile Editor, that allows you to create and edit profiles for organization, organizational unit (OU) and profile objects in the Tarantella System Objects organization. By defining profiles for these objects , Administrators can deploy common default Client configurations to users.
Administrators can also control whether users can create and edit their own profiles. User profile editing can be enabled array-wide, for an organization, for an OU or for individual users. By default, user profile editing is enabled. Users create and edit profiles from the Edit button on their webtop.
There is a system-wide default profile, which is configured to give users the standard webtop behavior available in previous releases. Administrators can edit this profile.
Once the Client is connected to Secure Global Desktop, the profile configured for the user is copied from the Secure Global Desktop server to the client device. If a user edits their profile, the changes are stored only on the client device.
When users connect to Secure Global Desktop from a variety of locations, there is often a need for different client proxy server settings. Ensuring that users have the correct proxy settings can also be difficult to administer. This release introduces mobile proxy server configuration which allows the Secure Global Desktop Client to use the profile to determine the proxy server settings. The profile allows proxy settings to be specified:
If the Client is running in Integrated mode and configured to use the web browser settings, the Client obtains the proxy settings by loading the URL specified in the profile in the user's default web browser. As the Client caches the settings it obtains, the Client can be configured to use the settings in the cache so that the user's default web browser only has to be started once.
Note to be able to determine the proxy settings from a web browser, the web browser must have Java technology enabled.
To support the use of profiles, the command line for the Secure Global Desktop Client on all platforms has been enhanced. There are now arguments to specify:
These enhancements allow you to create your own scripts for starting the Client and for running single applications.
To support running the Secure Global Desktop Client in Integrated mode or in environments that have web browsers without Java technology enabled, you can now manually download and install the Secure Global Desktop Client. You download the Client from a Secure Global Desktop Server at http://server.example.com. Click Install the Sun Secure Global Desktop Client.
Administration Guide Reading
This release includes a new X server, based on X11R6.8.2. The new X server delivered significant speed and bandwidth use improvements in benchmark tests when compared to version 4.2.
The updated server supports the following X extensions:
The new X server also includes support for some additional X fonts. The Speedo font is no longer available.
X application objects have a new attribute, Enable X Security Extension (--securityextension), which allows you to
enable the X Security Extension for an application. If you need to run an X application from a host that may not be secure, you should
enable the X Security Extension and run the application in untrusted mode. This restricts the operations that the X application can perform
in the X server and protects the display. X security only works with versions of SSH that support the -Y option. For OpenSSH, this is version 3.8 or later.
The Secure Global Desktop Client on UNIX, Linux and Mac OS X client devices now supports PDF printing. On these clients, printing to a Secure Global Desktop PDF printer causes the document to be displayed in a PDF viewer where the file can be printed and/or saved. By default Secure Global Desktop supports the following PDF viewers.
| Client Platform | Default PDF Viewer |
|---|---|
| Solaris OS on SPARC platforms | Adobe Reader (acroread) |
| Solaris OS on x86 platforms | GNOME PDF Viewer (gpdf) |
| Linux | GNOME PDF Viewer (gpdf) |
| Mac OS X | Preview.app |
To be able to use a default viewer, the application must be on the user's PATH.
If an alternative PDF viewer is preferred, the full path to the alternative viewer can be specified in the profile used by the Secure Global Desktop Client.
Note when specifying a PDF printer on UNIX, Linux and Mac OS X client devices, there is no difference between the "Universal PDF" and "Print to Local PDF File" printers as the document is always displayed in a PDF viewer.
PDF printing on Microsoft Windows client devices is unchanged.
Client drive mapping is now available for UNIX and Linux applications. This applies to the Secure Global Desktop Client, the Native Client and the Java technology client.
When you enable client drive mapping in Array Manager this enables client drive mapping for UNIX, Linux and Windows applications.
The attributes for managing access rights to client drives available for organization, organizational unit and person objects apply only to Windows client devices regardless of whether they are connected to Windows, UNIX or Linux applications.
As in the previous release, the drives that are mapped for UNIX, Linux and Mac OS X client devices are controlled by entries in the user's configuration file, $HOME/.tarantella/native-cdm-config.
For client drive mapping to be available for UNIX and Linux applications:
/opt/tta_tem/bin/tem startcdm command./smb. It is possible to specify a different directory in the /opt/tta_tem/etc/client.prf file. The entry in this file has the format
NFS_server/mount/mountpoint
.tarantella start cdm.When client drive mapping is enabled, the user's client drives or file systems are available by default in the My SGD drives directory in
the user's home directory. The My SGD drives directory is a symbolic link to the NFS share that is used for client drive mapping.
Users running Windows applications on a Windows Terminal Server can now access the serial ports on their client device.
To be able to access a serial port:
Users must have read-write access to the serial ports that they want to access.
Serial port mapping is available to the Secure Global Desktop Client and the Native Client running on Windows, Solaris and Linux client devices.
Microsoft Windows XP Professional includes the Remote Desktop feature that allows you to access a computer using the Remote Desktop Protocol. You can now use Secure Global Desktop and Remote Desktop, for example, to give users to access their office PC when they are out of the office. Only full Windows desktop sessions are supported.
You can also install the Secure Global Desktop Enhancement Module on Windows XP Professional to provide support for client drive mapping. Advanced load balancing and seamless windows are not supported.
The Secure Global Desktop Terminal Services Client (ttatsc) now supports an additional -console option which allows you to connect to the console session with Windows Server 2003 Terminal Services.
You can specify this option with the Protocol Arguments (--protoargs) attribute on the Windows application object.
When Secure Global Desktop is first installed, the initial connection between a Secure Global Desktop client and a Secure Global Desktop server is secured with SSL. However, after the user has logged in, the connection is downgraded to a standard connection. To be able to use SSL permanently for connections to Secure Global Desktop, you must enable Secure Global Desktop security services.
Port 5307/tcp is used for SSL-based connections between client devices and Secure Global Desktop. You may have to open this port in your firewall to allow clients to connect.
If you are using the array routes feature (tarantella config edit --tarantella-config-array-netservice-proxy-routes) and a route includes the :ssl option, you must configure the Secure Global Desktop SSL Daemon to accept unencrypted connections using the Accept plaintext on secure port attribute on the server-specific Security Properties panel in Array Manager (tarantella config edit --security-acceptplaintext).
As the Secure Global Desktop Client can now start and log in automatically, it is vital that users only connect to a host that is trusted. In this release, users must explicitly authorize the connection to Secure Global Desktop.
When a user connects to a Secure Global Desktop host for the first time, they see an Untrusted Initial Connection warning message that asks them whether they really want to connect to the host. The message displays the hostname and fingerprint of the security certificate for the server they are connecting to. Users should check these details before clicking Yes. Once a user has agreed to the connection, they are not prompted again unless there is a problem.
To ensure that users only connect to Secure Global Desktop servers that are trusted, Secure Global Desktop Administrators should:
tarantella security fingerprint command on each member of the array to obtain a list of fingerprints.In a fresh installation, each Secure Global Desktop host has its own self-signed security certificate. Administrators should obtain and install a valid X.509 certificate for each Secure Global Desktop host.
Note If you are using the classic webtop, the Java technology client prompts users every time it connects to a Secure Global Desktop server. The Native Client never prompts users.
Secure Global Desktop Administrators now have control over copy and paste operations in Windows and X application sessions. Administrators can configure copy and paste as follows:
If a user attempts a copy and paste operation that is not permitted, for example because of differing security levels, they paste the following message instead of the copied data:
Sun Secure Global Desktop Software: Copied data not available to this application
As well as using RSA SecurID to authenticate users to Secure Global Desktop, you can use SecurID for application server authentication when launching X and character applications.
To use SecurID authentication, you should first ensure that users can log to the application server in using SecurID before introducing
Secure Global Desktop. When you are ready to use SecurID authentication, configure the application to use the
securid/unix.exp Login script.
This release contains localized user interfaces for:
By visiting a different URL or selecting a language on the Secure Global Desktop Web Server home page (http://server.example.com), users can run a webtop in their preferred language. The Secure Global Desktop Client too can be started in a preferred language.
The following are not localized:
The following translations of Secure Global Desktop Documentation are available:
| Language | Release Notes | Installation Guide | Administration Guide | User Guide |
|---|---|---|---|---|
| French | Yes | Yes | No | Yes |
| Japanese | Yes | Yes | Yes | Yes |
| Korean | Yes | Yes | No | Yes |
| Simplified Chinese | Yes | Yes | No | Yes |
| Traditional Chinese | Yes | Yes | No | Yes |
Not all pages in the Administration Guide have been translated into Japanese.
The Expect scripts used to start applications on application servers have also been enhanced to support system prompts in different languages. By default, the languages supported by Secure Global Desktop are supported.
To allow the Expect scripts to work with system prompts in different languages, there is new Host Locale (--hostlocale) attribute on host objects that allows you to specify the locale of the host.
Administration Guide Reading
Sun Secure Global Desktop Software 4.3 contains the following changes:
This release introduces a single package for installing Secure Global Desktop. When you install Secure Global Desktop, you install all the packages that previously had to be installed separately (including the font packages). The use of the components is controlled by the license keys installed in the array.
As the initial connection to Secure Global Desktop is now always secure, this means that the Secure Global Desktop SSL Daemon is always running even if Secure Global Desktop security services have not been enabled.
In previous releases, a user preferences file was used to configure the Secure Global Desktop Client on UNIX, Linux and Mac OS X client devices. With the introduction of profiles, the preferences file is only used for the Native Client on these platforms.
In previous releases, the Window Close Action (--windowclose) attribute was only available to X applications that were configured to display using client window management. The use of this attribute has been extended to include X, Windows and character applications that are configured to display using an independent window.
The change means that closing an independent window may end or suspend the emulator session. The default is to end the session.
Secure Global Desktop now supports PAM (Pluggable Authentication Modules) for UNIX user authentication. The change affects the following login authorities:
Secure Global Desktop uses PAM for user authentication, account operations and password operations.
When you install Secure Global Desktop on Linux platforms, Setup automatically creates PAM configuration entries for Secure Global Desktop by copying the current configuration for the passwd program and creating the /etc/pam.d/tarantella file. On Solaris OS platforms, you can add a new entry for Secure Global Desktop (tarantella) in the /etc/pam.conf file if required.
Using PAM gives Secure Global Desktop Administrators more flexibility and control over UNIX user authentication, for example by adding new login tests, account limits, or valid password checks.
As a result of the changes introduced in this release to support PDF printing on UNIX, Linux and Mac OS X client devices, the Display Adobe Reader Print dialog (--pdfprompt) attribute has been removed from the Printing properties panel in Array Manager and from the Printing panel for organization, organizational unit and person objects in Object Manager.
This change means that when users print with the Universal PDF printer on Windows clients, the print job is automatically sent to the client's default printer. To be able to choose which client printer the print job is sent to, users must now select the Print to Local PDF File printer.
When using the Active Directory login authority, there is a new Use Certificates checkbox on the Secure Global Desktop Login properties panel in Array Manager. If Active Directory is configured to require client certificate and you have created and installed a client certificate for Secure Global Desktop, then you no longer need to configure the username and password of a privileged user.
The password used for the Secure Global Desktop certificate store (/opt/tarantella/var/info/certs/sslkeystore) is no longer hard-coded to 123456. Instead each store now has a random password, which is stored in /opt/tarantella/var/info/key. Use this password with the -storepass and -keypass options when using keytool.
Version 4.2 contained the following changes to licensing:
If you upgrade from an earlier version your existing product license keys will be automatically converted and your existing Maintenance and Right to upgrade license keys will be deleted.
From version 4.1, Secure Global Desktop no longer supports the rlogin and rcmd connection methods for starting applications. If you upgrade from an earlier version, you must change the connection method for any applications that use these methods.
From version 4.1, Secure Global Desktop uses a different attribute for the Maximum simultaneous webtop connections setting (--tuning-maxconnections). If you upgrade from an earlier version, the default setting for this attribute will be applied.
From version 4.0, Secure Global Desktop uses a different emulator for mainframe (3270) applications. 3270 character and 3270 X application objects are no longer available and have been replaced by a single 3270 application object. As the new 3270 application object has several new attributes, it is not possible to upgrade existing 3270 application objects. If you upgrade from an earlier version, your existing 3270 character and 3270 X applications will be deleted when you upgrade and you will need to re-configure them.
This section list the significant bug fixes contained in this release. They are divided into the following areas:
| Reference | Description |
|---|---|
| 6433525 |
/usr/bin owner is changed to ttasys on startup. |
| 6436735 | The tarantella object new_xapp command does not accept the --accel argument. |
| 6437203 | Object Manager shows a warning message after renaming an ENS object. |
| 6445405 | Shadowing from the command line takes an invalid session id. |
| 6447937 | X authority cookies should not be passed via environment. |
| 6450323 | Attributes cannot be specified in object creation but can be set in object edit. |
| 6451537 |
tarantella license commands and Array Manager display obsolete software components. |
| Reference | Description |
|---|---|
| 6357003 | The Native Client cannot launch a web browser on Solaris OS. |
| 6357022 | Native Client shifts up the full-screen webtop on Java Desktop System. |
| 6392279 | X authorization issue causes launch failure. |
| 6401949 | With optimizelaunch enabled in the unix.exp login script, the expired password handler does not work. |
| 6405808 | The filtering script (runsubscript.exp) is not being called during the launch process. |
| 6416951 | Error message is displayed when a new browser window application is ended with the 'X' button. |
| 6419574 | The authentication dialog returns corrupted data if the password has more than eight characters. |
| 6427189 | Launch failure when the host is not known to ssh. |
| 6434660 | Password expiry handling on application launch is broken. |
| 6447551 | There should only be one ttacpe process created for each webtop session. |
| 6455378 | Launch failure when ssh used over su for an application running on the Secure Global Desktop host. |
| 6464809 | # characters in system login banner cause automated launch process to fail. |
| 6470173 | Add support for SecurID ACE agent for PAM. |
| 6475303 | Custom Certificate Authority certificates not recognized and cause a prompt when launching in-place applications |
| 6476180 | Root window stays around when logging out of kiosk Gnome session. |
| Reference | Description |
|---|---|
| 6416384 | RDP-based audio output stops playing when using a SunRay. |
| Reference | Description |
|---|---|
| 6409765 | Error copying large(ish) files from client to server over a slow network in RDP sessions. |
| Reference | Description |
|---|---|
| 6408157 | Local X server application does not launch from the JSP webtop. |
| 6417140 | The webtop frame is blank after launching an application. |
| 6417575 | Unix Native Client using a proxy server: log in, log out, log in again and the Native Client hangs. |
| 6417631 | Unix Native Client: redraw problems with kiosk applications. |
| 6424776 | Secure Global Desktop Client produces errors and exits when logging out of the webtop. |
| 6432133 | The Native Client SEGVs if you close the connection progress window. |
| 6465959 | When Secure Global Desktop restarts, the Secure Global Desktop Client spins and sends out hundreds of network packets. |
| 6468173 | Wait cursor problem on SunRays. |
| Reference | Description |
|---|---|
| 6381531 | Edited colormap.txt intermittently ignored when security is enabled. |
| 6386091 | Windows Native Client and Citrix ICA X Client: possible key event incompatibility. |
| 6415498 | Character terminal session closes unexpectedly when function keys are pressed. |
| 6417698 | Scalable windows applications do not toggle when scroll lock pressed on Java Desktop System on Solaris 10 OS. |
| 6426355 | ttaxpe dies with SIGSEGV |
| 6427789 | Copy (ctrl+insert) causes X applications to hang. |
| 6433273 | Using the Native Client on Solaris OS, kiosk mode does not display correctly. |
| 6435437 | Child window sometimes comes up below the parent window using seamless windows. |
| 6435489 | Windows applications performance in 4.3. |
| 6435527 | Segmentation fault in the ttaxpe when running the HP monitoring tool. |
| 6445467 | Windows Logo keys do not work in a Terminal Services session. |
| 6446469 | Problems with the French locale and keymap. |
| 6467368 | Letter repeated twice in Remote Desktop Protocol session. |
| 6471395 | Timezone redirection fails to set correct time during daylight savings. Time always out by one hour. |
| 6472959 | ESC-NumLock does not work as expected from Solaris OS client/SunRay. |
| Reference | Description |
|---|---|
| 6355269 | The default configuration for a Java Desktop Session loses some important configuration parameters. |
| 6368390 | Upgrade from 4.20.909 to later builds requires a maintenance or right to upgrade license. |
| 6368675 | Root certificates for secure LDAP servers are not retained during an upgrade. |
| 6396629 | Install fails during bean creation, server will not start. |
| 6407985 | Secure Global Desktop incorrectly handles large amount of free disk space at install. |
| 6430913 | Problems with httpd.conf file on upgrade. |
| 6446020 | Unable to uninstall Secure Global Desktop if the external DNS name is incorrect. |
| 6453638 | Cannot log in to a Secure Global Desktop server after an upgrade. |
| 6462429 | Secure Global Desktop is uninstalled even though user selected No. |
| Reference | Description |
|---|---|
| 6354105 | In Configuration Wizard, the application list shows corrupt strings with multibyte characters. |
| 6355226 | The Connection Progress dialog cannot display multibyte characters. |
| 6357040 | Cannot copy and paste from Microsoft Windows to Solaris OS. |
| 6357075 | Cannot copy and paste from Microsoft Windows to Microsoft Windows. |
| 6357606 | Cannot copy and paste from Java Desktop System to Common Desktop Environment. |
| 6362374 | Client drive mapping daemon crashes with a localized native-cdm-config file. |
| 6419511 | Windows applications should have Unicode as the Euro symbol default. |
| 6419523 | Server LANG environment overrides client locale setting. |
| 6447594 | Client window mode should be accessed with an IP address instead of unix socket. |
| 6450008 | Problems generating an apostrophe with a Swedish keyboard. |
| Reference | Description |
|---|---|
| 6466415 | Secure LDAP does not work without security licenses installed. |
| Reference | Description |
|---|---|
| 6375600 | Authentication fails with ActivCard - Cyberflex 64k Smart Card (also bug ref 607218). |
| 6384746 | Able to read .cgi files via web browser. |
| 6390126 | A large number of users logging in in quick succession hangs the Secure Global Desktop server. |
| 6393623 | New browser window gets launched when new browser windows applications are launched with the CTRL key pressed. |
| 6407855 | Secure Global Desktop Server exits with error code 129, signal 0. |
| 6408159 | New blank browser window opens on exiting the application opened in new browser window mode. |
| 6409117 | Secure Global Desktop Enhancement Module for Intel Solaris appears to fail. |
| 6410161 | Using telnet to connect to localhost port 1023 causes the Protocol Engine Manager to use 100% CPU. |
| 6418965 | Client window manager applications display Minimize and Maximize buttons that are not present in original application. |
| 6430243 | Secure Global Desktop Apache includes development private paths and configurations. |
| 6430396 | Unable to copy paste to and from a WCP IWM session from the classic webtop. |
| 6436155 | Setting keepalive to 0 causes keepalives to be sent continuously. |
| 6442142 | Quitting Gnome session causes ttaxpe to use 100% CPU. |
| 6446271 | Secure Global Desktop Web Server starts but remains attached to the console. |
| Reference | Description |
|---|---|
| 6376221 | Printer properties (such as paper size) do not appear to be stored between RDP sessions. |
| 6406292 | Driver name duplicated if printing is configured at OU and user level. |
| 6421283 | Windows Native Client detects DEFAULT_PRINTER_UNKNOWN when there is no printer configured on the client device. |
| 6427852 | Login delay induced by inaccessible network printer attached to client device. |
| Reference | Description |
|---|---|
| 6419520 | LDAP searches of Active Directory contacts AD servers in other regions for information. |
| 6446338 | The prompt for password change does not appear after a password has expired. |
| 6446437 | Cannot create an array after enabling SSL connections between array members. |
| 6457984 | Validate user input to the login box to prevent cross-site scripting attacks. |
| 6468699 | ttassl daemon core dumps due to sigsegv, signal 11. |
| 6469123 | Apply OpenSSL security patch secadv_20060905.txt |
| 6476728 | Apply OpenSSL security patch secadv_20060928.txt |
| 6478735 | Cascading Stylesheets vulnerability. |
| Reference | Description |
|---|---|
| 6379743 |
tarantella status command report is incorrect when SSL connections between array members is enabled. |
| 6392365 | Array problems when one of the array members is not contactable. |
| 6393745 | Cannot successfully promote a secondary server to a primary if the primary server is down. |
| 6445200 | Array behavior when joining and detaching members of an array that is licensed. |
| Reference | Description |
|---|---|
| 6383417 | If the krb5.conf file has errors, user login hangs and the server continuously writes exceptions to jserver.log. |
| 6400123 | Ambiguous login is not allowed if invalid credentials were provided the first time. |
| 6415709 | Active Directory authentication fails silently if one tree of a forest is not configured in the krb5.conf file. |
| 6439688 | Windows Native Client does not display an error message if an Active Directory password change fails. |
| 6454261 | Expect script updated for German Solaris OS applications. |
| 6460263 | Oberthur AuthentIC card not recognized when using Secure Global Desktop (fixed for Windows Clients only). |
| 6465569 | Active Directory PKI infrastructure does not failover to the next global catalog server. |
| 6471877 | SecurID login authority issues. |
| Reference | Description |
|---|---|
| 6391262 | Anonymous users can create and edit webtop groups. This info will be stored on disk and not cleaned up. |
| 6427185 | Secure Global Desktop Web Server exposes too much information. |
Customers with a valid support agreement can upgrade to the latest version of Sun Secure Global Desktop Software free of charge.
The following table lists the end-of-support dates for previous Secure Global Desktop and Tarantella software products:
| Software Product | Version | Supported Until |
|---|---|---|
| Secure Global Desktop Enterprise Edition | 4.1 | March 31, 2007 |
| Secure Global Desktop Enterprise Edition | 4.0 | March 31, 2007 |
| Secure Global Desktop Software Appliance | 4.0 | March 31, 2007 |
| Secure Global Desktop Enterprise Edition | 3.42 | March 31, 2007 |
| Tarantella Enterprise 3 (including TASP) | 3.40 | March 31, 2007 |
The following are the known bugs and issues with this release:
Secure Global Desktop X and character emulators cannot distinguish between the Return key and the keypad ENTER key on the user's client keyboard.
A known issue.
By default, the Secure Global Desktop Client and the Native Client map the keypad ENTER key to Return in both X and character emulator sessions. With additional configuration this behavior can be changed.
To change the behavior of the keypad ENTER key in a character application session, you need to set up a keymap for your character application object (--keymap) and add a mapping for KPENTER, for example:
KPENTER="hello"
To change the behavior of the keypad ENTER key in a Windows/X application session, you need to modify your X keymap (for example, xuniversal.txt) and add a mapping for the KP_Enter key, for example:
92 KP_Enter KP_Enter NoSymbol NoSymbol 0x801c
Warning! The X keymap is a global/user resource, so all applications for that user may be affected by this change. If any of these applications do not handle KP_Enter, then you may need to consult your X/Windows application vendor for assistance.
Note The Java™ technology clients are unable to distinguish between RETURN and the keypad ENTER key.
Users in Chinese (Simplified and Traditional), Japanese, and Korean locales cannot display non-ASCII characters in the candidate and status windows of the input method when running applications on a Solaris OS application server. This affects Solaris 8, 9, 10 and 10u1 OS platforms.
Missing font path configuration on the Secure Global Desktop server.
Add Chinese, Japanese, and Korean font path information to the font server on the Secure Global Desktop host.
For example, if the Secure Global Desktop Server is installed on a Solaris 10 OS platform and you are using the Simplified Chinese input method:
/usr/openwin/lib/X11/fontserver.cfg file and add the Chinese font path information as follows:
clone-self = on use-syslog = off catalogue =/usr/openwin/lib/locale/zh_CN.GB18030/X11/fonts/75dpi,/usr/openwin/lib/locale/zh_CN.GB18030/X11/fonts/TrueType, /usr/openwin/lib/locale/zh.GBK/X11/fonts/75dpi,/usr/openwin/lib/locale/zh.GBK/X11/fonts/TrueType,/usr/openwin/lib/locale/zh/X11/fonts/75dpi, /usr/openwin/lib/locale/zh/X11/fonts/TrueType,/usr/openwin/lib/locale/zh.UTF-8/X11/fonts/misc,/usr/openwin/lib/locale/iso_8859_2/X11/fonts/75dpi, /usr/openwin/lib/locale/iso_8859_2/X11/fonts/Type1,/usr/openwin/lib/locale/iso_8859_2/X11/fonts/TrueType,/usr/openwin/lib/locale/iso_8859_4/X11/fonts/75dpi, /usr/openwin/lib/locale/iso_8859_4/X11/fonts/Type1,/usr/openwin/lib/locale/iso_8859_5/X11/fonts/75dpi,/usr/openwin/lib/locale/iso_8859_5/X11/fonts/Type1, /usr/openwin/lib/locale/iso_8859_5/X11/fonts/TrueType,/usr/openwin/lib/locale/ar/X11/fonts/TrueType,/usr/openwin/lib/locale/iso_8859_7/X11/fonts/TrueType, /usr/openwin/lib/locale/iso_8859_7/X11/fonts/75dpi,/usr/openwin/lib/locale/iso_8859_7/X11/fonts/Type1,/usr/openwin/lib/locale/iso_8859_8/X11/fonts/Type1, /usr/openwin/lib/locale/iso_8859_8/X11/fonts/TrueType,/usr/openwin/lib/locale/iso_8859_9/X11/fonts/75dpi,/usr/openwin/lib/locale/iso_8859_9/X11/fonts/Type1, /usr/openwin/lib/locale/iso_8859_9/X11/fonts/TrueType,/usr/openwin/lib/locale/iso_8859_15/X11/fonts/TrueType # in decipoints default-point-size = 120 default-resolutions = 75,75,100,100
svcadm restart xfs
Note Changes to font path information only take effect for new Protocol Engines only. Existing Protocol Engines are not affected.
The Secure Global Desktop Administration Guide has more detailed information on using your own X fonts, see "How do I use my own X fonts?"
Alternatively, on Solaris 10 OS application servers only, upgrading to the latest version of the Internet Intranet Input Method Framework (IIIMF) should also fix the problem.
When using Japanese PC 106 or Sun Type 7 Japanese keyboards with Windows applications running through Secure Global Desktop, the Yen and Backslash keys produce the same result.
A known issue with key handling.
Modify the Xsun keytable or the Xorg keytable on the client device.
For example, change the /usr/openwin/etc/keytables/Japan7.kt file as follows:
... #137 RN XK_backslash XK_bar XK_prolongedsound 137 RN XK_yen XK_bar XK_prolongedsound ... #39 RN XK_0 XK_asciitilde XK_kana_WA XK_kana_WO 39 RN XK_0 XK_0 XK_kana_WA XK_kana_WO ...
For example, change the /usr/X11/lib/X11/xkb/symbols/sun/jp file as follows:
...
# key <AE13> { [ backslash, bar ], [ prolongedsound ] };
key <AE13> { [ yen, bar ], [ prolongedsound ] };
...
# key <AE10> { [ 0, asciitilde ], [ kana_WA, kana_WO ] };
key <AE10> { [ 0, 0], [ kana_WA, kana_WO ] };
...
After making these changes, you must restart dtlogin:
/etc/init.d/dtlogin stop /etc/init.d/dtlogin start
On Solaris 10 x86 platforms, enabling Integrated mode when you are logged in as root does not add applications to the desktop Start Menu. You may also see the following warning:
gnome-vfs-modules-WARNING **: Error writing vfolder configuration file "//.gnome2/vfolders/applications.vfolder-info": File not found.
A known issue with the Gnome Virtual File System (VFS).
There is currently no solution.
On client devices running SUSE Linux Enterprise Server 10, the Gnome Main Menu crashes when using the Integrated Client. The crash usually occurs on login or logout.
A known problem with the Gnome Main Menu applet on SUSE Linux Enterprise Server 10 (Novell bug reference 186555).
Disabling the Recently Used Applications functionality improves the stability of the Gnome Main Menu.
Run the following commands on the client device:
gconftool-2 --set --type=list \
--list-type=int /desktop/gnome/applications/main-menu/lock-down/showable_file_types [0,2]
pkill main-menu
pkill application-browser
When configured to operate in Integrated mode, the Sun Secure Global Desktop Client creates entries in the desktop Start Menu. It is possible to rename these entries, but the changes are not honored by the Client.
Renaming Start Menu entries is not supported.
Do not rename the Secure Global Desktop Start Menu entries.
After enabling the Automatic Client Login or the Add Applications to Start Menu options in your profile, the Secure Global Desktop Client does not start automatically when you log in to the Gnome Desktop and/or the Start Menu is not updated with webtop content when you log in to Secure Global Desktop.
A known bug with Gnome Desktop on SUSE Linux Enterprise Server 9.
The directories containing the .menu files are not monitored and so changes to the Start Menu are not detected.
The workaround is run the following command to restart the gnome-panel and pick up new menu information:
pkill gnome-panel
Note you must run this command to update the menu each time the menu changes.
Japanese users working with applications that are configured to display on the webtop or in a new browser window find that many keys do not work. Problems have been noticed with the Windows key, the Applications key, and the Katakana, Zenkaku_Hankaku, Hiragana and Muhenkan keys.
Applications configured to display on the webtop or in a new browser window, use the classic Java technology client. This client has not been internationalized or localized.
Change the application's Display Using attribute so that the application displays in either a kiosk, an independent or a seamless window.
When the connection method is SSH, system login banners containing characters such as "#", "$" or "=" cause the login scripts to fail.
The SGD login scripts interpret characters such as "#", "$" or "=" as a command prompt. When the login scripts detect a command prompt, they stop checking for a password prompt.
Do one of the following:
/opt/tarantella/var/serverresources/expect/procs.exp login script.
Change the following line:
set seen_pw_or_ssh_prompt 0
to
set seen_pw_or_ssh_prompt 1
Secure Global Desktop allows users to change the way an application is displayed by holding down the Control key when clicking the link to start an application. Holding down the Shift key allows users to start an application as a different user. Neither of these options work when clicking links in the desktop Start Menu (Integrated Client).
This functionality is not yet available to the Integrated Client.
To use this functionality, you must start the application from a webtop. To display a webtop, click the Webtop link in the Start Menu.
When accessing Secure Global Desktop from a SunRay, the cursor shape changes to the wait cursor and does not change back again.
A known issue.
The workaround is to set an environment variable TTA_GNOME_VERSION that contains the version of Gnome you are using. For example add the following lines to your .profile
TTA_GNOME_VERSION=2.6.0 export TTA_GNOME_VERSION
After starting a Gnome session on Solaris 10 OS on Sparc platforms, users are unable to input anything with the keyboard. The mouse, however, does work.
A known bug with remote Gnome sessions, see http://bugzilla.gnome.org/show_bug.cgi?id=170318. The Sun Microsystems bug reference is 6239595.
This specific problem was fixed in patch ID 119542. This patch was also included in a cumulative patch ID 122212 for the Gnome Desktop. Both patches are available from SunSolve Online.
The workaround is to create a Gnome configuration file /etc/gconf/gconf.xml.defaults/apps/gnome_settings_daemon/keybindings/%gconf.xml with the following content:
<?xml version="1.0"?> <gconf> <entry name="volume_up" mtime="1110896708" type="string"><stringvalue></stringvalue></entry> <entry name="volume_mute" mtime="1110896705" type="string"><stringvalue></stringvalue></entry> <entry name="volume_down" mtime="1110896702" type="string"><stringvalue></stringvalue></entry> <entry name="help" mtime="1110896698" type="string">>stringvalue></stringvalue></entry> </gconf>
When you compile your own Apache modules for use with the Secure Global Desktop Web Server, the compilation fails because of
a missing egcc compiler.
The configuration file for the Apache eXtenSion tool (apxs) that is used to build extension modules for the Secure
Global Desktop Web Server uses the egcc compiler and this may not be available on your system.
Either modify the apxs configuration file (/opt/tarantella/webserver/apache/version/bin/apxs)
to use a compiler that is available on your system or create a symlink for egcc that links to the compiler on your system.
Shortcuts for the Integrated Client do not display on the KDE Desktop Menu on SUSE Linux Enterprise Server 10.
SUSE-specific configuration of the KDE menu system means that if a menu contains only one application entry, then that single application is used in the main menu instead of the menu. If menu entry is a sub-menu, the sub-menu does not display at all. This causes the Integrated Client Login menu not to display.
The workaround is to add the following line to the [menus] section of $HOME/.kde/share/config/kickerrc:
ReduceMenuDepth=false
Then run the following command for the KDE panel to immediately pick up the changes:
dcop kicker kicker restart
All subsequent KDE sessions will automatically use this setting.
After enabling the Automatic Client Login or the Add Applications to Start Menu options in your profile, the Secure Global Desktop Client does not start automatically when you log in to the Gnome Desktop and/or the Start Menu is not updated with webtop content when you log in to Secure Global Desktop.
A known bug with Gnome Desktop on Red Hat Enterprise Linux 4
(https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=151887).
The directories containing the .menu files are not monitored and so changes to the Start Menu are not detected.
The workaround is run the following command to restart the gnome-panel and pick up new menu information:
pkill gnome-panel
Note you must run this command to update the menu each time the menu changes.
Client drive mapping fails if the Client for Microsoft Networks is not enabled on a Microsoft Windows application server.
The Client for Microsoft Networks must be enabled to allow remote access to files and folders.
Enable the Client for Microsoft Networks, as follows:
After enabling the Add Applications to Start Menu option in your profile, the Start Menu is not updated with webtop content when you log in to Secure Global Desktop.
Starting the Secure Global Desktop Client from the command line may also result in the following error:
----------------------------------------------- process:5281): GLib-CRITICAL **: file gtree.c: line 261 (g_tree_destroy): assertion `tree != NULL' failed ----------------------------------------------
Red Hat Enterprise Linux 3 has menu editing disabled by default and so the Gnome Start Menu is not updated.
The error message is not critical.
Enable menu editing for the Gnome Desktop, as follows:
/etc/gnome-vfs-2.0/modules directory.default-modules.conf file as follows:
mv default-modules.conf default-modules.conf.without-menu-editing
default-modules.conf.with-menu-editing file as follows:
cp default-modules.conf.with-menu-editing default-modules.conf
Users must log out of the Gnome Desktop and log back in again for the change to take effect.
If you relocate the browser-based webtop to your own JavaServer Pages (JSP) container, the Integrated Client refuses to connect to Secure Global Desktop.
The Integrated Client requires some files from the Axis web application.
To use the Integrated Client, you must also copy the Axis web application to the remote host. Copy everything in the /opt/tarantella/webserver/tomcat/5.0.28_axis1.2/webapps/axis directory to the remote host.
Note The axis directory contains several symbolic links, ensure these links are followed when you copy the directory.
When you install Secure Global Desktop in a supported locale, the language used during the installation is English.
To see localized text during installation, the gettext package must be installed on the host. If this package is missing, the installation defaults to English.
Ensure the gettext package is installed before installing Secure Global Desktop.
After upgrading to version 4.3, a server that was configured to accept only secure connections now accepts standard and secure connections.
A known issue.
Re-configure the server to accept only secure connections. In Array Manager, on the Security Properties panel for the server, uncheck the box next to Standard connections. Alternatively run the following command:
tarantella config edit --security-connectiontypes ssl
Using Internet Explorer 7 on Microsoft Windows Vista platforms, the Secure Global Desktop Client cannot be automatically downloaded and installed. The Client can be installed manually and it can be installed automatically using another browser, such as Firefox.
Internet Explorer has a Protected Mode that prevents the Client downloading and installing automatically.
Add the Secure Global Desktop server to the list of Trusted Sites list in Internet Explorer's Security Settings.
The Fewest application sessions method of load balancing applications does not detect when an application server is unavailable to launch applications. The result is that Secure Global Desktop tries to launch an application on a server that is not available and it does not fail over to the next available host.
A known issue.
This problem will be fixed in a future release of Secure Global Desktop.
The workaround is to edit the host object in Object manager and uncheck the Available to launch applications box (--available false). This removes the host from the list of servers that can run applications.
Launching an X application on an application server that is not running Solaris OS or Linux is either slow or fails (times out).
A known issue with the procs.exp Expect script used to launch applications.
This problem will be fixed in a future release of Secure Global Desktop.
The workaround is to edit procs.exp script as follows:
/opt/tarantella/var/serverresources/expect directory.procs.exp file.procs.exp file and replace the set_os function with the following:
proc set_os { } {
global os
if { $os != "" } {
return
}
send -s "uname -s\n"
expect {
-re "SunOS" {
set os "Solaris"
}
-re "Linux" {
send -s "if \[ -f /etc/redhat-release \]; then echo \"Redhat\"; elif \[ -f /etc/SuSE-release \]; then echo \"SuSE\"; else echo \"Not available\"; fi\n"
expect {
-re "Redhat" {
set os "Redhat"
}
-re "SuSE" {
set os "SuSE"
}
}
}
-re ".*\n.*\n" {
set os "Unknown"
}
}
}
procs.exp file.When using the Integrated Client On Microsoft Windows Vista clients, the Start Menu is not updated correctly when you log in and out of Secure Global Desktop.
A known issue.
This problem will be fixed in a future release of Secure Global Desktop.
When using Integrated mode on Microsoft Windows client devices, users may notice that the Start Menu entries are not sorted alphabetically.
This is caused by a Windows feature that adds new items to end of a menu rather than preserving the alphabetical sorting.
See Microsoft KB article 177482 for details.
On Sun Java Desktop Systems, users may find that Start Menus entries are not created for Secure Global Desktop when they enable Integrated mode. The Start menu entries are added when they log out of their desktop and log in again.
A known issue with the Gnome panel.
The solution is to install the following patches:
The workaround is to log out of the desktop and log in again.
Users with Sun Type 7 Japanese keyboards cannot input characters correctly using Secure Global Desktop.
Missing Solaris OS keytable on the client device.
Install the appropriate patch to install the keytable on the client device:
| Platform | Required Patch |
|---|---|
| Solaris 10 OS on SPARC platforms | 121868-03 |
| Solaris 9 OS on SPARC platforms | 113764-04 |
| Solaris 8 OS on SPARC platforms | 111075-05 |
| Solaris 10 OS on x86 platforms | 121869-03 |
| Solaris 9 OS on x86 platforms | 113765-03 |
| Solaris 8 OS on x86 platforms | 114539-02 |
Users cannot use SecurID to authenticate to Secure Global Desktop.
The binary used for SecurID authentication (ttasecurid) is not included in this build.
A workaround is to use web server authentication to an RSA SecurID server.
A solution to this issue is expected in the near future. If you require further information, contact Sun Support.
The following are the known documentation issues with this release:
Secure Global Desktop allows users to change the way an application is displayed by holding down the Control key when clicking the link to start an application. Holding down the Shift key allows users to start an application as a different user.
The Secure Global Desktop Administration Guide and User Guide incorrectly state that this functionality is available when using the Integrated Client.
To use this functionality, you must start the application from a webtop. To display a webtop, click the Webtop link in the Start Menu.
The page Relocating the browser-based webtop to your own JSP container contains instructions for moving the webtop to another host.
These instructions are valid if you want to work in Webtop mode. To use the Integrated Client, however, you must also copy the Axis web application to the remote host. Copy everything in the /opt/tarantella/webserver/tomcat/5.0.28_axis1.2/webapps/axis directory to the remote host.
Note The axis directory contains several symbolic links, ensure these links are followed when you copy the directory.
The Secure Global Desktop Administration Guide incorrectly states that the SecurID login authority works with versions 4 and 5 of the RSA ACE/Server.
This login authority works with versions 4, 5 and 6.
The page Securing connections to Active Directory and LDAP directory servers gives instructions on creating client certificates for use with Microsoft Active Directory. In step 9 the instructions state "ensure DER is selected". This should be "ensure Base 64 encoded is selected".
The documentation for
tarantella license query
command shows the output of some sample commands that includes TSP (Security) licenses. The tarantella license query command no longer counts and displays information about these license types.
If you are using the multiple external DNS names feature and you want to enable secure connections, you need an X.509 certificate and key for each DNS name that is being used.
To configure Secure Global Desktop to use multiple certificates, you use tarantella config edit --tarantella-config-ssldaemon-certfiles "filter" ... command to configure the certificate and key to use for a particular client and server combination. Each filter has the form:
"clientip:clientport:serverip:serverport:keyfile:certfile"
On the command line, enclose each filter in quotes and use a space to separate the filters. You can use wildcards for the ports and IP addresses. The order of the filters is important, as the first matching filter found is used.
Set up your filters to match the same client connections as your external DNS names configuration. For example, you configure the external DNS names as follows:
tarantella config edit --server-dns-external "192.168.5.*:boston.indigo-insurance.com" "*:www.indigo-insurance.com"
To configure the certificates and keys for these names, run the following command:
tarantella config edit --tarantella-config-ssldaemon-certfiles \ "192.168.5.*:*:192.168.5.24:*:/opt/tarantella/var/tsp/key.pem:/opt/tarantella/var/tsp/cert.pem" \ "*:*:192.168.10.24:*:/opt/tarantella/var/tsp/externalkey.pem:/opt/tarantella/var/tsp/externalcert.pem"
With this configuration, clients with an IP address beginning 192.168.5 connect to boston.indigo-insurance.com and receive an SSL connection using the key and certificate defined in the filter. All other clients connect to www.indigo-insurance.com. If the order of the filters was reversed, all clients would receive an SSL connection using the key and certificate defined for www.indigo-insurance.com.
The documentation for the new copy and paste security feature does not contain the following last-minute changes to the software.
The documentation recommends that you run the Secure Global Desktop server in a UTF-8 locale to allow the successful copy and paste of non-ASCII text. However, in circumstances where it may not be possible to do this, you can specify a UTF-8 locale by installing a UTF-8 locale and setting a TTA_TEXTCONV_LANG environment variable. For example:
TTA_TEXTCONVLANG=en_GB.UTF8; export TTA_TEXTCONVLANG
The documentation also recommends disabling copy and paste operations with client devices by setting the client security level to be lower or higher than the applications being used. You can disable all client copy and paste operations by selecting disabled from the list for the Clipboard: Client security level attribute on the Array Properties panel of Array Manager or with the tarantella config edit --array-clipboard-clientlevel -1 command.
Copyright © 1997-2006 Sun Microsystems, Inc. All rights reserved.
Sun Microsystems, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.sun.com/patents and one or more additional patents or pending patent applications in the U.S. and in other countries.
U.S. Government Rights - Commercial software. Government users are subject to the Sun Microsystems, Inc. standard license agreement and applicable provisions of the FAR and its supplements.
This distribution may include materials developed by third parties.Sun, Sun Microsystems, the Sun logo, Java and Solaris are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. and other countries.
UNIX is a registered trademark in the U.S. and other countries, exclusively licensed through X/Open Company, Ltd.
Copyright © 1997-2006 Sun Microsystems, Inc. Tous droits réservés.
Sun Microsystems, Inc. détient les droits de propriété intellectuels relatifs à la technologie incorporée dans le produit qui est décrit dans ce document. En particulier, et ce sans limitation, ces droits de propriété intellectuelle peuvent inclure un ou plus des brevets américains listés à l'adresse http://www.sun.com/patents et un ou les brevets supplémentaires ou les applications de brevet en attente aux Etats - Unis et dans les autres pays.
L'utilisation est soumise aux termes du contrat de licence.
Cette distribution peut comprendre des composants développés par des tierces parties.
Sun, Sun Microsystems, le logo Sun, Java et Solaris sont des marques de fabrique ou des marques déposées de Sun Microsystems, Inc. aux Etats-Unis et dans d'autres pays.
Toutes les marques SPARC sont utilisées sous licence et sont des marques de fabrique ou des marques déposées de SPARC International, Inc. aux Etats-Unis et dans d'autres pays.
UNIX est une marque déposée aux Etats-Unis et dans d'autres pays et licenciée exlusivement par X/Open Company, Ltd.