11 Replies Latest reply: Aug 14, 2012 6:27 PM by 955576 RSS

    ssl issues with sgd 4.4

    955576
      Hi there,

      I cannot start my sgd server with --ssl, i get the following error in the logs...

      2012/08/13 13:04:33.169 ssl1112 ssldaemon/clientconnection/badforwardporterror
      Sun Secure Global Desktop Software (4.4) ERROR:

      The Security Daemon has received a connection to be forwarded onwards,
      but it could not get the port to forward to from the
      tarantella.config.server.proxiedhttpsurl attribute.
      Please ensure this attribute is correctly correctly by using the Security
      properties in the per-server section of the array manager. ssldaemon/clientconnection/badforwardporterror

      2012/07/30 13:04:33.169 ssl1112 ssldaemon/clientconnection/badforwardporterror
      Sun Secure Global Desktop Software (4.4) ERROR:

      The Security Daemon has received a connection to be forwarded onwards,
      but it could not get the port to forward to from the
      tarantella.config.server.proxiedhttpsurl attribute.
      Please ensure this attribute is correctly correctly by using the Security
      properties in the per-server section of the array manager. ssldaemon/clientconnection/badforwardporterror

      2012/07/30 13:04:33.170 ssl1112 ssldaemon/TTAservererror/badresponseinfo
      Sun Secure Global Desktop Software (4.4) ERROR:

      Secure Global Desktop server not responding on port 0, closing the connection.
      TSP=SERVER IP:443 Client=CLIENT IP:35987 ssldaemon/TTAservererror/badresponseinfo

      2012/07/30 13:04:33.170 ssl1112 ssldaemon/TTAservererror/badresponseinfo
      Sun Secure Global Desktop Software (4.4) ERROR:

      I cannot start array manager as its not used any more, and i cannot see any options on the gui config for this.

      Any help is appreciated.

      regards
        • 1. Re: ssl issues with sgd 4.4
          Mrbrown-Oracle
          what is the output of

          # tarantella config list

          as well as the Apache httpd.conf directives for SGD?

          There is no Array Manager in SGD 4.4 . . . replaced by the Admin Console. Most of the config is done via cmd line vs GUI. Have you read

          http://docs.oracle.com/cd/E19728-01/820-2550/secure_client.html
          • 2. Re: ssl issues with sgd 4.4
            955576
            hi there,

            thanks for the quick reply. please see below the output for config list...


            array-audio-quality: medium
            array-audio: 0
            array-billingservices: 0
            array-cdm-fallbackdrive: t+
            array-cdm-wins: 0
            array-cdm: 1
            array-clipboard-clientlevel: 3
            array-clipboard-enabled: 1
            array-editprofile: 1
            array-externallaservice: 0
            array-logfilter: */*/fatalerror:.../_beans/com.sco.tta.server.log.ConsoleSink,server/login/*info:login%%PID%%_moreinfo.log,audit/session/*info:login%%PID%%_moreinfo.log,cdm/*/*:cdm%%PID%%.log,cdm/*/*:cdm%%PID%%.jsl,server/deviceservice/*:cdm%%PID%%.log,server/deviceservice/*:cdm%%PID%%.jsl,server/security/*:ssl%%PID%%.log,server/printing/*:print%%PID%%.log,server/printing/*:print%%PID%%.jsl
            array-port-encrypted: 443
            array-port-peer: 5427
            array-port-unencrypted: 3144
            array-resourcesync: 1
            array-scard: 1
            array-serialport: 1
            array-unixaudio-quality: medium
            array-unixaudio: 0
            audiope-compression: never
            chpe-compression: auto
            chpe-compressionthreshold: 256
            chpe-exitafter: 60
            cpe-args: ""
            cpe-exitafter: 60
            cpe-maxsessions: 20
            cpe-maxusers: 1
            execpe-args: ""
            execpe-exitafter: 60
            execpe-maxsessions: 10
            execpe-maxusers: 1
            execpe-scriptdir: %%INSTALLDIR%%/var/serverresources/expect
            iope-compression: never
            launch-allowsmartcard: 0
            launch-alwayssmartcard-initial: checked
            launch-alwayssmartcard-state: enabled
            launch-details-initial: shown
            launch-details-showonerror: true
            launch-details-state: enabled
            launch-expiredpassword: manual
            launch-loadbalancing-algorithm: sessions
            launch-savepassword-initial: checked
            launch-savepassword-state: enabled
            launch-savettapassword: 1
            launch-showauthdialog: user
            launch-showdialogafter: 2
            launch-trycachedpassword: 1
            login-ad-base-domain: ""
            login-ad-default-domain: ""
            login-ad: 0
            login-anon: 0
            login-atla: 0
            login-autotoken: 0
            login-ens: 1
            login-ldap-pki-enabled: 0
            login-ldap-thirdparty-ens: 0
            login-ldap-thirdparty-profile: 0
            login-ldap-url: ldap://dc.domain.com
            login-ldap: 0
            login-mapped: 0
            login-nt-domain: dc.domain.com
            login-nt: 1
            login-securid: 0
            login-theme: sco/tta/standard
            login-thirdparty-ens: 0
            login-thirdparty-nonens: 1
            login-thirdparty-superusers: sgd_trusted_user
            login-thirdparty: 0
            login-unix-group: 0
            login-unix-user: 1
            login-web-ens: 0
            login-web-ldap-ens: 0
            login-web-ldap-profile: 1
            login-web-profile: 0
            login-web-tokenvalidity: 180
            ppe-compression: auto
            ppe-compressionthreshold: 4096
            ppe-exitafter: 240
            printing-mapprinters: 1
            printing-pdfdriver: ""
            printing-pdfenabled: 0
            printing-pdfisdefault: 0
            printing-pdfprinter: "Universal PDF Printer"
            printing-pdfprompt: 0
            printing-pdfviewer: "Universal PDF Viewer"
            printing-pdfviewerenabled: 0
            printing-pdfviewerisdefault: 0
            scardpe-compression: never
            security-acceptplaintext: 0
            security-applyconnections: 1
            security-connectiontypes: "std,ssl"
            security-firewallurl: ""
            security-newkeyonrestart: 0security-printmappings-timeout: 1800
            security-ssldaemon-failmode: reducesecurity
            security-xsecurity: 1
            server-dns-external: *:sgd1.domain.com
            server-location: ""
            server-logdir: /opt/tarantella/var/log
            server-login: enabled
            server-redirectionurl: ""
            sessions-aipkeepalive: 100
            sessions-loadbalancing-algorithm: .../_beans/com.sco.tta.server.loadbalancing.tier2.SessionLoadBalancingPolicy
            sessions-timeout-always: 11500
            sessions-timeout-session: 720
            tuning-jvm-initial: 120
            tuning-jvm-max: 2048
            tuning-jvm-scale: 150
            tuning-maxconnections: 1000
            tuning-maxfiledescriptors: 4096
            tuning-maxrequests: 7
            tuning-resourcesync-time: 4:00
            xpe-args: ""
            xpe-cwm-maxheight: 1280
            xpe-cwm-maxwidth: 3200
            xpe-exitafter: 60
            xpe-fontpath: "%%INSTALLDIR%%/etc/fonts/misc,%%INSTALLDIR%%/etc/fonts/TTF,%%INSTALLDIR%%/etc/fonts/Type1,%%INSTALLDIR%%/etc/fonts/CID,%%INSTALLDIR%%/etc/fonts/local,%%INSTALLDIR%%/etc/fonts/75dpi,%%INSTALLDIR%%/etc/fonts/100dpi,%%INSTALLDIR%%/etc/fonts/ibm,%%INSTALLDIR%%/etc/fonts/hp,%%INSTALLDIR%%/etc/fonts/andrew,%%INSTALLDIR%%/etc/fonts/icl,%%INSTALLDIR%%/etc/fonts/scoterm,%%INSTALLDIR%%/etc/fonts/cyrillic,%%INSTALLDIR%%/etc/fonts/hangul,%%INSTALLDIR%%/etc/fonts/oriental"
            xpe-keymap: xuk.txt
            xpe-maxsessions: 20
            xpe-maxusers: 1
            xpe-monitorresolution: 0
            xpe-rgbdatabase: %%INSTALLDIR%%/etc/data/rgb.txt
            xpe-sessionstarttimeout: 60
            xpe-tzmapfile: %%INSTALLDIR%%/etc/data/timezonemap.txt

            Edited by: 952573 on Aug 13, 2012 4:41 PM
            • 3. Re: ssl issues with sgd 4.4
              955576
              also the httpd directives for the ports are...

              port 80

              and

              <IfDefine SSL>
              Listen 80
              Listen 443
              </IfDefine>
              • 4. Re: ssl issues with sgd 4.4
                Mrbrown-Oracle
                are you looking to use Firewall Forwarding or will just use the secure SGD port 5307? If trying to use Firewall Forwarding then your config is incorrect.

                security-firewallurl: ""
                • 5. Re: ssl issues with sgd 4.4
                  955576
                  this used to work ages ago so i am at a loss as to why if doesnt now.

                  I dont think i need firewall forwarding, just simply to have the system start with SSL support. and to be able to connect using https://server...

                  can i simply change that setting and restart tarantella to take effect?
                  • 6. Re: ssl issues with sgd 4.4
                    955576
                    also noticed that i get this error after a tarantella start...

                    Failed to bind to INADDR_ANY on port 443.Reason: bind(8,*:443): (125) Address already in use


                    and also getting this...

                    If this server is configured for firewall forwarding and the web server is bound to 'localhost:443', you can ignore this error. If not, then check to see which process is bound to the port.

                    tried closing sgd and check netstat while its shut down and nothing is using 443

                    Edited by: 952573 on Aug 13, 2012 5:33 PM
                    • 7. Re: ssl issues with sgd 4.4
                      806512
                      You've got a partially-configured firewall traversal - your secure port is set to 443, but you've also got Apache set to "Listen 443", so both Apache and ttassld are attempting to bind to *:443 and only one process can bind to a port.

                      If you want firewall traversal, you need to set Apache to "Listen 127.0.0.1:443", and the firewall-url to https://127.0.0.1. If you don't want to use fw traversal, then reset the secure port to 5307.
                      • 8. Re: ssl issues with sgd 4.4
                        955576
                        i dont think i need firewall traversal tbh. the system is on the same vlan as the terminal servers. are there any other reasons i would need firewall traversal. also, whats the command for changing the traversal port.

                        thanks a million btw for your help, very much appreciated.
                        • 9. Re: ssl issues with sgd 4.4
                          955576
                          Hi there,

                          I was wondering if you could tell me how to then reset the secure port to 5307. been googling a fair bit and cant see how to do this :-(

                          thanks again.

                          Regards
                          • 10. Re: ssl issues with sgd 4.4
                            806512
                            Firewall traversal is for when there's a firewall between the client and the SGD server, and the firewall is blocking the AIP port (3144 unencrypted, 5307 encrypted.) Firewall traversal maps both the https (webserver) protocol and the AIP protocol to the same port (443), which is usually "open" in most firewall configurations. So, this lets you connect a client to a server, usually without changing firewall configurations.

                            If you're strictly using local connections, then it's not needed. So, to reset the AIP "secure" port back to 5307, you run the command:

                            /opt/tarantella/bin/tarantella config edit --array-port-encrypted 5307

                            and restart SGD. Alternatively, you can reset the port in the SGD admin console under "Global Settings"-->"Communications" tab.

                            Here's the link to the SGD 4.40 documentation if you want to read more on the topic: http://docs.oracle.com/cd/E19728-01/820-2550/firewall_configuring.html#client

                            Hope this helps.
                            • 11. Re: ssl issues with sgd 4.4
                              955576
                              managed to resolve the issue with /opt/tarantella/bin/tarantella config edit --array-port-encrypted 5307.

                              thanks LOADS for your help :-)

                              Edited by: 952573 on Aug 14, 2012 4:27 PM