Secure Global Desktop 4.31 Administration Guide > Security > Securing connections between Secure Global Desktop servers
In a standard installation, the data transmitted between Secure Global Desktop servers in an array (including data sent from the Secure Global Desktop administration tools) is not encrypted. Secure Global Desktop Administrators can secure the connections between array members with SSL/TLS. Using SSL/TLS for these connections ensures that communication only takes place between servers that have authenticated to each other and ensures the integrity of the data.
Using SSL/TLS to secure intra-array communication means that each member of the array has to have a valid server peer certificate that has been signed by a trusted certificate authority (CA).
As the server peer certificates are only used internally by Secure Global Desktop, the primary server in the array acts as the CA. The primary has a self-signed CA certificate and a private key. All servers in the array have a copy of the primary's CA certificate in a trusted certificate store (the truststore).
All servers in the array (including the primary) have a server peer certificate and a private key. The server peer certificate is signed with the primary's CA certificate and contains a common name (CN) which is the peer DNS name of the Secure Global Desktop server.
When one member of the array connects to another (or an administration tool connects to an array member), the Secure Global Desktop server being connected to presents its server peer certificate as part of the SSL negotiation. The connecting server evaluates the certificate and checks:
If the certificate is valid, the SSL/TLS connection is established.
When you enable secure intra-array communication, Secure Global Desktop automatically generates and distributes the CA and server peer certificates to the members of the array. Whenever there is a change in the array structure, Secure Global Desktop automatically updates the CA and server peer certificates as needed:
Administrators can use the tarantella security peerca --show
command to view certificates in the truststore. The truststore contains the primary CA certificate.
tarantella array detach --secondary server
command (or use Array Manager) to detach the secondary servers.tarantella status
command returns the same result when you run it on each array member.tarantella stop
command to stop all servers.tarantella config edit --tarantella-config-security-peerssl-enabled 1
tarantella start
command to start all servers.tarantella array join --primary primary_server
command to add the server.tarantella security peerca --show
command to display the fingerprint for the primary server's CA certificate.tarantella status
command returns the same result when you run it on each array member.Copyright © 1997-2007 Sun Microsystems, Inc. All rights reserved.