Webtop Client has to accept security certificate at each login
Hello again,
another issue we currently are facing is that users who are connecting via the webtop client (btw the NC works way better, in ways of printing perfomance and login speed) have to accept the security warning EVERY time:
"The Secure Global Desktop server you're connecting to is using an untrusted or unrecognized security certificate.
Accept the certificate only if you are sure there is no security risk. If you are unsure, click Don't Accept and contact an Administrator (you won't be able to log in)...." and then it says "you are connecting for the first time blabla"...
This only happens when connecting to the classic Tarantella subsystem only, not to the SGD.
Any hints?
Regards
Joerg
# 2
> Hello again,
>
> another issue we currently are facing is that users
> who are connecting via the webtop client (btw the NC
> works way better, in ways of printing perfomance and
> login speed) have to accept the security warning
> EVERY time:
>
> "The Secure Global Desktop server you're connecting
> to is using an untrusted or unrecognized security
> certificate.
>
> Accept the certificate only if you are sure there is
> no security risk. If you are unsure, click Don't
> Accept and contact an Administrator (you won't be
> able to log in)...." and then it says "you are
> connecting for the first time blabla"...
>
> This only happens when connecting to the classic
> Tarantella subsystem only, not to the SGD.
>
> Any hints?
>
> Regards
> Joerg
Joerg,
it'd be great to know which version of SSGD you're playing with.
I assume this is version 4.3x but assumptions do not always work :-)
If the above stands, the release notes for SSGD 4.31 say:
=== cut here === 8< ===
Protecting Clients Against Unauthorized Servers
As the SGD Client can now start and log in automatically, it is vital that users only
connect to a host that is trusted. In this release, users must explicitly authorize the
connection to SGD.
When a user connects to a SGD host for the first time, they see an Untrusted Initial
Connection warning message that asks them whether they really want to connect to
the host. The message displays the host name and fingerprint of the security
certificate for the server they are connecting to. Users should check these details
before clicking Yes. Once a user agrees to the connection, they are not prompted again
unless there is a problem.
To ensure that users only connect to SGD servers that are trusted, SGD
Administrators should do the following:
■ Provide users with a list of host names and fingerprints for the servers that are
trusted. Use the tarantella security fingerprint command on each
member of the array to obtain a list of fingerprints.
■ Explain to users the security implications of agreeing to connect to server.
In a fresh installation, each SGD host has its own self-signed security certificate.
Administrators should obtain and install a valid X.509 certificate for each SGD host.
Note ?If you are using the classic webtop, the Java technology client prompts users
every time it connects to a SGD server. The SGD Native Client never prompts users.
=== cut here === 8< ===
I think the above note is important.
For testing, using OpenSSL I manually created a local CA and signed a Certificate Signing Request generated by SSGD (tarantella security certrequest...); once I imported both the SSGD server and the CA certificates into the browser, everything worked fine.
Hope this helps.
Best,
Rob
Rob_Za at 2007-7-12 17:48:55 >
