Secure Global Desktop 4.40 Administration Guide > Getting Started > Users and Trusted SGD Servers

Users and Trusted SGD Servers

When SGD is first installed, the initial connection between an SGD Client and an SGD server is secured with SSL. However, after the user has logged in, the connection is downgraded to a standard connection. To be able to use SSL permanently for connections to SGD, you must enable SGD security services.

In addition to using SSL, SGD also requires users to authorize their connections to SGD so that they only connect to trusted servers. The first time a user connects to an SGD server, they see an Untrusted Initial Connection message advising that they are connecting to a server for the first time.

Note If there is a problem with the server's security certificate, a security warning displays before the Untrusted Initial Connection message.

Users must check these details before clicking Yes. Show users how to check the details as follows:

1. Check that the name of the server displayed in the message matches the name of the server to which the user is connecting.
2. Check that the certificate is correct. Click View Certificate. The Certificate Details dialog displays.

   

3. Check that the Validity and Subject details are correct.
4. Click Close.

If the details are correct, users can click Yes to agree to the connection.

Once a user has agreed to the connection, the host name and the fingerprint of the certificate are added to the hostsvisited file on the client device. The hostsvisited file is stored in the same location as the user's client profile cache.

The user is not prompted again about the connection unless there is a problem.

If there is a problem with the connection, for example because the fingerprint of the server certificate has changed, a Potentially Unsafe Connection message displays.

To ensure that users only connect to SGD servers that are trusted, Secure Global Desktop Administrators can do the following:

• Provide users with a list of host names and fingerprints for the servers that are trusted. Use the tarantella security fingerprint command on each SGD server in the array to obtain a list of fingerprints.
• Explain to users the security implications of agreeing to connect to server.

Using the hostsvisited File for Additional Security

You can use use a pre-configured hostsvisited file to restrict the SGD servers that the Sun Secure Global Desktop Client can connect to. To do this you need to install the pre-configured hostsvisited file on the client device. The easiest way to create a pre-configured hostsvisited file is to copy and edit an existing hostsvisited file. You also have to add a <allowhostoverride> line manually to the hostsvisited file, as shown in the following example:

<?xml version="1.0" encoding="UTF-8" ?>
<array>
  <allowhostoverride>0</allowhostoverride>
  <server peername="boston.indigo-insurance.com">
    <certfingerprint>51:B7:6D:FA:6E:3B:BE:ED:37:73:D4:9D:5B:C5:71:F6</certfingerprint>
  </server>
</array>

If you omit <allowhostoverride> line, this only stops users from being prompted when they connect to any of the SGD servers listed in the hostsvisited file. It does not prevent the SGD Client from connecting to other servers.

Copyright © 1997-2007 Sun Microsystems, Inc. All rights reserved.