This discussion is archived
11 Replies Latest reply: Aug 14, 2012 4:27 PM by 955576 RSS

ssl issues with sgd 4.4

955576 Newbie
Currently Being Moderated
Hi there,

I cannot start my sgd server with --ssl, i get the following error in the logs...

2012/08/13 13:04:33.169 ssl1112 ssldaemon/clientconnection/badforwardporterror
Sun Secure Global Desktop Software (4.4) ERROR:

The Security Daemon has received a connection to be forwarded onwards,
but it could not get the port to forward to from the
tarantella.config.server.proxiedhttpsurl attribute.
Please ensure this attribute is correctly correctly by using the Security
properties in the per-server section of the array manager. ssldaemon/clientconnection/badforwardporterror

2012/07/30 13:04:33.169 ssl1112 ssldaemon/clientconnection/badforwardporterror
Sun Secure Global Desktop Software (4.4) ERROR:

The Security Daemon has received a connection to be forwarded onwards,
but it could not get the port to forward to from the
tarantella.config.server.proxiedhttpsurl attribute.
Please ensure this attribute is correctly correctly by using the Security
properties in the per-server section of the array manager. ssldaemon/clientconnection/badforwardporterror

2012/07/30 13:04:33.170 ssl1112 ssldaemon/TTAservererror/badresponseinfo
Sun Secure Global Desktop Software (4.4) ERROR:

Secure Global Desktop server not responding on port 0, closing the connection.
TSP=SERVER IP:443 Client=CLIENT IP:35987 ssldaemon/TTAservererror/badresponseinfo

2012/07/30 13:04:33.170 ssl1112 ssldaemon/TTAservererror/badresponseinfo
Sun Secure Global Desktop Software (4.4) ERROR:

I cannot start array manager as its not used any more, and i cannot see any options on the gui config for this.

Any help is appreciated.

regards
  • 1. Re: ssl issues with sgd 4.4
    MrBrown Explorer
    Currently Being Moderated
    what is the output of

    # tarantella config list

    as well as the Apache httpd.conf directives for SGD?

    There is no Array Manager in SGD 4.4 . . . replaced by the Admin Console. Most of the config is done via cmd line vs GUI. Have you read

    http://docs.oracle.com/cd/E19728-01/820-2550/secure_client.html
  • 2. Re: ssl issues with sgd 4.4
    955576 Newbie
    Currently Being Moderated
    hi there,

    thanks for the quick reply. please see below the output for config list...


    array-audio-quality: medium
    array-audio: 0
    array-billingservices: 0
    array-cdm-fallbackdrive: t+
    array-cdm-wins: 0
    array-cdm: 1
    array-clipboard-clientlevel: 3
    array-clipboard-enabled: 1
    array-editprofile: 1
    array-externallaservice: 0
    array-logfilter: */*/fatalerror:.../_beans/com.sco.tta.server.log.ConsoleSink,server/login/*info:login%%PID%%_moreinfo.log,audit/session/*info:login%%PID%%_moreinfo.log,cdm/*/*:cdm%%PID%%.log,cdm/*/*:cdm%%PID%%.jsl,server/deviceservice/*:cdm%%PID%%.log,server/deviceservice/*:cdm%%PID%%.jsl,server/security/*:ssl%%PID%%.log,server/printing/*:print%%PID%%.log,server/printing/*:print%%PID%%.jsl
    array-port-encrypted: 443
    array-port-peer: 5427
    array-port-unencrypted: 3144
    array-resourcesync: 1
    array-scard: 1
    array-serialport: 1
    array-unixaudio-quality: medium
    array-unixaudio: 0
    audiope-compression: never
    chpe-compression: auto
    chpe-compressionthreshold: 256
    chpe-exitafter: 60
    cpe-args: ""
    cpe-exitafter: 60
    cpe-maxsessions: 20
    cpe-maxusers: 1
    execpe-args: ""
    execpe-exitafter: 60
    execpe-maxsessions: 10
    execpe-maxusers: 1
    execpe-scriptdir: %%INSTALLDIR%%/var/serverresources/expect
    iope-compression: never
    launch-allowsmartcard: 0
    launch-alwayssmartcard-initial: checked
    launch-alwayssmartcard-state: enabled
    launch-details-initial: shown
    launch-details-showonerror: true
    launch-details-state: enabled
    launch-expiredpassword: manual
    launch-loadbalancing-algorithm: sessions
    launch-savepassword-initial: checked
    launch-savepassword-state: enabled
    launch-savettapassword: 1
    launch-showauthdialog: user
    launch-showdialogafter: 2
    launch-trycachedpassword: 1
    login-ad-base-domain: ""
    login-ad-default-domain: ""
    login-ad: 0
    login-anon: 0
    login-atla: 0
    login-autotoken: 0
    login-ens: 1
    login-ldap-pki-enabled: 0
    login-ldap-thirdparty-ens: 0
    login-ldap-thirdparty-profile: 0
    login-ldap-url: ldap://dc.domain.com
    login-ldap: 0
    login-mapped: 0
    login-nt-domain: dc.domain.com
    login-nt: 1
    login-securid: 0
    login-theme: sco/tta/standard
    login-thirdparty-ens: 0
    login-thirdparty-nonens: 1
    login-thirdparty-superusers: sgd_trusted_user
    login-thirdparty: 0
    login-unix-group: 0
    login-unix-user: 1
    login-web-ens: 0
    login-web-ldap-ens: 0
    login-web-ldap-profile: 1
    login-web-profile: 0
    login-web-tokenvalidity: 180
    ppe-compression: auto
    ppe-compressionthreshold: 4096
    ppe-exitafter: 240
    printing-mapprinters: 1
    printing-pdfdriver: ""
    printing-pdfenabled: 0
    printing-pdfisdefault: 0
    printing-pdfprinter: "Universal PDF Printer"
    printing-pdfprompt: 0
    printing-pdfviewer: "Universal PDF Viewer"
    printing-pdfviewerenabled: 0
    printing-pdfviewerisdefault: 0
    scardpe-compression: never
    security-acceptplaintext: 0
    security-applyconnections: 1
    security-connectiontypes: "std,ssl"
    security-firewallurl: ""
    security-newkeyonrestart: 0security-printmappings-timeout: 1800
    security-ssldaemon-failmode: reducesecurity
    security-xsecurity: 1
    server-dns-external: *:sgd1.domain.com
    server-location: ""
    server-logdir: /opt/tarantella/var/log
    server-login: enabled
    server-redirectionurl: ""
    sessions-aipkeepalive: 100
    sessions-loadbalancing-algorithm: .../_beans/com.sco.tta.server.loadbalancing.tier2.SessionLoadBalancingPolicy
    sessions-timeout-always: 11500
    sessions-timeout-session: 720
    tuning-jvm-initial: 120
    tuning-jvm-max: 2048
    tuning-jvm-scale: 150
    tuning-maxconnections: 1000
    tuning-maxfiledescriptors: 4096
    tuning-maxrequests: 7
    tuning-resourcesync-time: 4:00
    xpe-args: ""
    xpe-cwm-maxheight: 1280
    xpe-cwm-maxwidth: 3200
    xpe-exitafter: 60
    xpe-fontpath: "%%INSTALLDIR%%/etc/fonts/misc,%%INSTALLDIR%%/etc/fonts/TTF,%%INSTALLDIR%%/etc/fonts/Type1,%%INSTALLDIR%%/etc/fonts/CID,%%INSTALLDIR%%/etc/fonts/local,%%INSTALLDIR%%/etc/fonts/75dpi,%%INSTALLDIR%%/etc/fonts/100dpi,%%INSTALLDIR%%/etc/fonts/ibm,%%INSTALLDIR%%/etc/fonts/hp,%%INSTALLDIR%%/etc/fonts/andrew,%%INSTALLDIR%%/etc/fonts/icl,%%INSTALLDIR%%/etc/fonts/scoterm,%%INSTALLDIR%%/etc/fonts/cyrillic,%%INSTALLDIR%%/etc/fonts/hangul,%%INSTALLDIR%%/etc/fonts/oriental"
    xpe-keymap: xuk.txt
    xpe-maxsessions: 20
    xpe-maxusers: 1
    xpe-monitorresolution: 0
    xpe-rgbdatabase: %%INSTALLDIR%%/etc/data/rgb.txt
    xpe-sessionstarttimeout: 60
    xpe-tzmapfile: %%INSTALLDIR%%/etc/data/timezonemap.txt

    Edited by: 952573 on Aug 13, 2012 4:41 PM
  • 3. Re: ssl issues with sgd 4.4
    955576 Newbie
    Currently Being Moderated
    also the httpd directives for the ports are...

    port 80

    and

    <IfDefine SSL>
    Listen 80
    Listen 443
    </IfDefine>
  • 4. Re: ssl issues with sgd 4.4
    MrBrown Explorer
    Currently Being Moderated
    are you looking to use Firewall Forwarding or will just use the secure SGD port 5307? If trying to use Firewall Forwarding then your config is incorrect.

    security-firewallurl: ""
  • 5. Re: ssl issues with sgd 4.4
    955576 Newbie
    Currently Being Moderated
    this used to work ages ago so i am at a loss as to why if doesnt now.

    I dont think i need firewall forwarding, just simply to have the system start with SSL support. and to be able to connect using https://server...

    can i simply change that setting and restart tarantella to take effect?
  • 6. Re: ssl issues with sgd 4.4
    955576 Newbie
    Currently Being Moderated
    also noticed that i get this error after a tarantella start...

    Failed to bind to INADDR_ANY on port 443.Reason: bind(8,*:443): (125) Address already in use


    and also getting this...

    If this server is configured for firewall forwarding and the web server is bound to 'localhost:443', you can ignore this error. If not, then check to see which process is bound to the port.

    tried closing sgd and check netstat while its shut down and nothing is using 443

    Edited by: 952573 on Aug 13, 2012 5:33 PM
  • 7. Re: ssl issues with sgd 4.4
    806512 Newbie
    Currently Being Moderated
    You've got a partially-configured firewall traversal - your secure port is set to 443, but you've also got Apache set to "Listen 443", so both Apache and ttassld are attempting to bind to *:443 and only one process can bind to a port.

    If you want firewall traversal, you need to set Apache to "Listen 127.0.0.1:443", and the firewall-url to https://127.0.0.1. If you don't want to use fw traversal, then reset the secure port to 5307.
  • 8. Re: ssl issues with sgd 4.4
    955576 Newbie
    Currently Being Moderated
    i dont think i need firewall traversal tbh. the system is on the same vlan as the terminal servers. are there any other reasons i would need firewall traversal. also, whats the command for changing the traversal port.

    thanks a million btw for your help, very much appreciated.
  • 9. Re: ssl issues with sgd 4.4
    955576 Newbie
    Currently Being Moderated
    Hi there,

    I was wondering if you could tell me how to then reset the secure port to 5307. been googling a fair bit and cant see how to do this :-(

    thanks again.

    Regards
  • 10. Re: ssl issues with sgd 4.4
    806512 Newbie
    Currently Being Moderated
    Firewall traversal is for when there's a firewall between the client and the SGD server, and the firewall is blocking the AIP port (3144 unencrypted, 5307 encrypted.) Firewall traversal maps both the https (webserver) protocol and the AIP protocol to the same port (443), which is usually "open" in most firewall configurations. So, this lets you connect a client to a server, usually without changing firewall configurations.

    If you're strictly using local connections, then it's not needed. So, to reset the AIP "secure" port back to 5307, you run the command:

    /opt/tarantella/bin/tarantella config edit --array-port-encrypted 5307

    and restart SGD. Alternatively, you can reset the port in the SGD admin console under "Global Settings"-->"Communications" tab.

    Here's the link to the SGD 4.40 documentation if you want to read more on the topic: http://docs.oracle.com/cd/E19728-01/820-2550/firewall_configuring.html#client

    Hope this helps.
  • 11. Re: ssl issues with sgd 4.4
    955576 Newbie
    Currently Being Moderated
    managed to resolve the issue with /opt/tarantella/bin/tarantella config edit --array-port-encrypted 5307.

    thanks LOADS for your help :-)

    Edited by: 952573 on Aug 14, 2012 4:27 PM

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points