Sun Microsystems, Inc.  Sun System Handbook - ISO 3.4 June 2011 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-71-1010574.1
Update Date:2011-03-03
Keywords:

Solution Type  Technical Instruction Sure

Solution  1010574.1 :   Sun Ray[TM] Controlled Access Mode  


Related Items
  • Sun Ray Hardware
  •  
  • Sun Ray Hardware
  •  
  • Sun Ray Software
  •  
  • Sun Ray Hardware
  •  
  • Sun Ray Hardware
  •  
  • Sun Ray Hardware
  •  
Related Categories
  • GCS>Sun Microsystems>Desktops>Desktop Virtualization>Sun Ray Hardware
  •  
  • GCS>Sun Microsystems>Desktops>Desktop Virtualization>Sun Ray Software
  •  

PreviouslyPublishedAs
214549


Description
The purpose of this document is to give information on how to configure
and enable the CAM (Controlled Access Mode) Environment, also known as Kiosk mode.


Steps to Follow
CAM (Controlled Access Mode) requires that the SUNWutkio and SUNWbbchr
packages are installed.

These packages reside in different locations in Sun Ray[TM]
Server Software versions 1.3, 2.0, and 3.0. The Sun Ray[TM] Server Software 3.0
reorganizes SUNWutkio into two separate packages SUNWutkio and SUNWutkir.
Note that Sun Ray[TM] Server Software 3.0 for Linux does not support Controlled Access Mode.

Package location on Sun Ray[TM] Server Software 1.3 CDROM:

 /cdrom/sun_ray_13/Sun_Ray_Server_Software_1.3/Solaris_2.6+/Product/
system      SUNWutkio      Sun Ray server Controlled Access Mode
 /cdrom/sun_ray_13/Controlled_Access_Mode/Solaris_2.6+/Product
system      SUNWbbchr      chroot runtime environment for BB

Package location on Sun Ray[TM] Server Software 2.0 CDROM:

 /cdrom/srss_2_0/Sun_Ray_Server_Software_2.0/Solaris_8+/Packages
system      SUNWutkio      Sun Ray server Controlled Access Mode
 /cdrom/srss_2_0/Controlled_Access_Mode_2.0/Solaris_8+/Packages
system      SUNWbbchr      chroot runtime environment for BB

Package location on Sun Ray[TM] Server Software 3.0 CDROM:

 /cdrom/srss_3/Sun_Ray_Core_Services_3.0/Solaris_8+/Packages
system      SUNWutkio      Sun Ray server Controlled Access Mode
system      SUNWutkir      Sun Ray server Controlled Access Mode
 /cdrom/srss_3/Controlled_Access_Mode_2.0/Solaris_8+/Packages
system      SUNWbbchr      chroot runtime environment for BB

____________________________________________________________________________

Note: These packages are part of the Sun Ray [TM] Server Software installation
and are installed by the utinstall script. They normally do not have to be
installed separately.
____________________________________________________________________________

Configuring the CAM Environment:

The configuration of the CAM Environment is done by utconfig and must be
done before CAM related policies are made available in the Admin GUI.

Admin GUI Menu Path: ADMIN->POLICY

Admin GUI with utconfig run, and NO CAM Environment Configured.
__________________________________________________________________________

 Change Policy		(Example Only Not to scale)      Server:SunRay 1.3
___________________________________________________________________________
 Card Users					     Non-Card Users
                                               O Enable Mobile Sessions
  Access:                                       Access:
O None                                       O None   
 * All Users                                  * All Users  
 O Registered Users                           O Registered Users   
 O Allow Self Registration                   O Allow Self Registration    
      O Self Registration Requires Solaris Authentication
 ___________________________________________________________________________
 Multihead Features enabled: O Yes * NO
___________________________________________________________________________

When utconfig is run you are asked the following default questions
for configuring the CAM Environment:

 Configure Controlled Access Mode? (y/[n])? y
Enter user prefix [utcu]:
Enter userID range start [150000]:      (Default start uid)
Enter number of users [25]:      (Default range of anonymous users)

Note: You must check for a uid conflict prior to configuring the Cam
environment.

The default uid range for CAM starts at 150000 out to the number of
anonymous users you are configuring for the server. The default anonymous
users configured is 25, so your default range of uids would be from 150000
to 150024 with the default choices selected.

These ranges are configurable.

A conflict of uids or anonymous user names will cause the CAM configuration
to fail and may cause utconfig to exit prematurely.

Example: passwd uid conflict with the first default CAM uid of 150000 will
result in the following failure.

Passwd entry:

 test:x:150000:10:Test User:/tmp:/bin/sh

Results in the following error:

 Checking for previous Controlled Access Mode configuration ...
not configured...
Adding new Controlled Access Mode configuration ...
passwd entry for utcu0 failed
no users configured

Controlled Acccess Mode configuration failed! Please remove all
users with the comment field 'ControlledAccessUser' from the
/etc/passwd file and run utconfig to create a Controlled Access
Mode configuration.

 /var/opt/SUNWut/kiosk/kiosk.conf updated

Example: passwd uid conflict with any CAM user uid will result in the
following failure.

In this example we took the default 25 users to be created.

 Passwd entry:
test:x:150020:10:Test User:/tmp:/bin/sh (This is a conflict with uid
for utcu20 CAM user.)

Results in the following error:

 Checking for previous Controlled Access Mode configuration ...
not configured...
Adding new Controlled Access Mode configuration ...
....................passwd entry for utcu20 failed
20 users configured

Controlled Acccess Mode configuration failed! Please remove all
users with the comment field 'ControlledAccessUser' from the
/etc/passwd file and run utconfig to create a Controlled Access

This created CAM user entries from utcu0 - utcu19

Enabling the utpolicy for CAM will result in 20 CAM users but not the
25 users as was expected.

Best resolution for this issue is to run "utconfig -u" and use a different
range of uids for your CAM anonymous users to avoid any conflicts.

Then run utconfig again.

 Admin GUI with utconfig run and CAM Environment Configured.
 ___________________________________________________________________________
 Change Policy		(Example Only not to scale)      Server:SunRay 1.3
___________________________________________________________________________
 Card Users					     Non-Card Users
 O Controlled Access Mode                      O Controlled Access Mode
                                             O Enable Mobile Sessions
 Access:                                       Access:
O None                                       O None   
 * All Users                                  * All Users  
 O Registered Users                           O Registered Users   
  O Allow Self Registration                   O Allow Self Registration    
      O Self Registration Requires Solaris Authentication
 ___________________________________________________________________________
 Multihead Features enabled: O Yes * NO
___________________________________________________________________________

Enabling Controlled Access Mode

The CAM feature is administered through the Sun Ray Administration Tool or
through the Command-line Interface (CLI).

CAM is a policy decision that affects system-level operations. Turn
controlled access mode on and off in the Change Policy section of the Admin
function of the Administration Tool.

You can enable the CAM Policy option for smart card users, non smartcard
users, or both.

When controlled access mode is turned on, kiosk.start uses scripts to
choose temporary users and home directories, then uses the kiosk.conf file
to configure and populate the user's environment and to launch enabled
applications. When a session terminates, kiosk.start cleans up all the
files and entries related to the session, then recreates the environment
for a new user.

To enable CAM policy through CLI.

Login on a Sun Ray server as root to enable CAM

1)cd /opt/SUNWut/sbin
2)./utpolicy -a -g -k card -z both (this enables kiosk with smart card and login screen without)
3)./utpolicy -i clear (this restart Sun Ray services, all sessions will be lost)
or
./utpolicy -i soft (this resets Sun Ray services, existing sessions
will be preserved, but may no longer be accessible if the policy change was significant)

The policy change to CAM is significant. For example, after
turning on CAM for non smartcard users only, and resetting Sun
Ray services, existing "pseudo terminal" or non smartcard mobility
sessions will continue to run and consume ressource, but can no longer
be accessed, while existing smartcard sessions can still be
accessed. Thus, when enabling or disabling CAM, you should scedule
an outage to restart Sun Ray services.

You are presented with the following banner after the utpolicy command
has be run and the policy change was made.

THE MOST RECENT POLICY CHANGE WAS SIGNIFICANT

(If you cannot afford to terminate existing sessions, then you can restart
the authentication manager without clearing existing sessions. Note that
some sessions that were granted access under the old policy may persist.
Use the following command to restart the authentication manager without
clearing existing sessions: "/opt/SUNWut/sbin/utpolicy -i soft")

The authentication manager must be restarted for changes to take
effect. Note that all existing sessions will be terminated. Please run
the following command:

       /opt/SUNWut/sbin/utpolicy -i clear

To Enable Controlled Access Mode with the Admin GUI

Bring up your browser and login to Admin GUI:

1a) http://<server name>:1660 (If remote server administration enable) or
1b) http://localhost:1660 (If remote server administration not enabled)
1c) https://<server name>:1660 (If SSL is enabled and certificates are valid)

2)login: admin and enter password you defined in utconfig

3)Select the arrow to the left of Admin to expand the navigation menu.

4) Click the Policy link.

5) For smart card users, select the Controlled Access Mode check box in the Card Users column.
All smart card users get a Controlled Access Mode session.

6) For non-smart card users, select the Controlled Access Mode check box in the Non-Card Users column.

7) Click the Apply button.

8) Select the Reset Services menu.

9) Under Scope, click the Local or Group radio button, depending on the failover scenario.

10) Click the Reset or Restart button. Again, a services restart is recommended to avoid leaving behind existing sessions which cannot be accessed any more after the significant policy change.

CAM Setup in a Failover Group

The CAM environment must be configured on all servers in a failover group.
To change the policy on a Sun Ray[TM] Server Software 1.x failover
configuration, you must use utglpolicy or the Admin GUI, not utpolicy.

In a failover environment, the administrative settings in the kiosk.conf
file are copied to the failover servers. Be sure that all application paths
added to the Controlled Access Mode sessions are copied across the servers
in the failover group. For example, if the Netscape application is added to
the sessions with the executable path, /usr/local/exe/netscape, make sure
that the path to the binary is available to all servers in the failover group.

Note - Applications must be installed in the same location and set up the
same way on each server in the failover group. Prototypes and wrapper
scripts must also exist on each server in the failover group.

Additional Note: For futher setting or changes available in CAM please
refer to the Sun Ray[TM] Software 1.3 Advanced Administrator's Guide, the Sun Ray [TM] Server Software 2.0 Administrator's Guide, or the Sun Ray [TM]
Server Software 3.0 Administrator's Guide located at /opt/SUNWut/doc on your Sun Ray Server. You can also find the documentation on http://www.oracle.com/technetwork/server-storage/sunrayproducts/docs/index.html and
http://www.oracle.com/us/technologies/virtualization/061984.html

Controlled Browser

The Controlled Browser is an unsupported product.

For your convenience, with Sun Ray[TM] Server Software 1.3 and 2.0, we have provided a sample implementation of the Netscape Navigator 4.76 browser. This browser is provided in English only and has not been localized.

The objective of this implementation is to provide a browser environment
for a publicly accessed Sun Ray appliance with minimal risk of server
security compromise.

The browser is specially set up to provide for a more controlled and
secure browser environment.

Netscape Navigator functions normally with the exception of disabled
downloads and a new GUI print interface to the command-line print interface.

Installing the Controlled Browswer:

Do not install a controlled browser until your system is configured with
Controlled Access Mode. Please run the utconfig.

Controlled Browser Package located here in Sun Ray 1.3

1.cd /cdrom/sun_ray_13/Supplemental/Controlled_Browser/Solaris_2.6+/Product

Controlled Browser Package located here in Sun Ray 2.0

1.cd /cdrom/srss_2_0/Supplemental/Controlled_Browser/Solaris_8+/Packages

2. Execute the cbinstall install script

 #./cbinstall

Note: In order for the Controlled Browser feature to work properly, the Sun
Ray server must have DNS enabled. This can be done by setting up the file
/etc/resolv.conf on the system. The file format is as follows:

 domain {DNS domain name}
nameserver {DNS server IP address}
nameserver {backup DNS server IP address if available}

An example of this file is as follows:

 domain sun.com
nameserver 100.111.1.110
nameserver 100.111.1.111
nameserver 100.111.1.112

More information on resolv.conf can be found on its man page man resolv.conf.

The use of DNS also requires that dns be added to the /etc/nsswitch.conf
file in the hosts: line which should look simalar to this

 # "hosts:" and "services:" in this file are used only if the
hosts:      files nis dns

(Your entry may very based on the name services you are running in your environment.)



Product
Sun Ray Server Software 2.0
Sun Ray Server Software 1.3
Sun Ray Server Software 3.0
Sun Ray 1g Ultra-Thin Client
Sun Ray 1 Ultra-Thin Client
Sun Ray 100 Ultra-Thin Client
Sun Ray 150 Ultra-Thin Client
Sun Ray 170 Ultra-Thin Client

Internal Comments
pete.tapia@Sun.COM



Sun Ray, sunray, CAM, Controlled Access Mode
Previously Published As
72329

Change History
Date: 2006-01-22
User Name: 18392
Action: Update Canceled
Comment: *** Restored Published Content *** SSH Audit
Version: 0
Date: 2006-01-22
User Name: 18392
Action: Update Started
Comment: SSH Audit
Version: 0

Date: 2006-01-17
User Name: 18392
Action: Update Canceled
Comment: *** Restored Published Content *** SSH Audit
Version: 0

Date: 2006-01-17
User Name: 18392
Action: Update Started
Comment: SSH Audit
Version: 0


Attachments
This solution has no attachment
  Copyright © 2011 Sun Microsystems, Inc.  All rights reserved.
 Feedback