Difference: APPXLoginManagerForUnixLinux (64 vs. 65)

Revision 652016-02-25 - JeanNeron

Line: 1 to 1
 
META TOPICPARENT name="APPX500Features"

APPX Login Manager For Unix/Linux

Changed:
<
<
This page describes how to install the APPX Login Manager command and how to use it to install, configure, and manage APPX Login Services on Unix/Linux systems.
>
>
This page describes how to install the APPX Login Manager command and how to use it to install, configure, and manage APPX Login Services on Unix/Linux systems.


  The APPX Login Manager command is used to configure and manage APPX Login Services.
Line: 132 to 133
  The first form of the -install command requires only that a service name be specified. All other options are optional including the TCP/IP port. Any option not specified will be configured with an appropriate default value.
Changed:
<
<
The second form of the -install command requires only that a TCP/IP port be specified. All other options are optional including the ServiceName. Any option not specified will be configured with an appropriate default value.
>
>
The second form of the -install command requires only that a TCP/IP port be specified. All other options are optional including the <nop>ServiceName. Any option not specified will be configured with an appropriate default value.
  Both forms of the -install command allow additional configuration options to be specified. The configuration options specified are stored in the service configuration file (ini).
Line: 163 to 164
 
Options - General
Changed:
<
<
-name, -ServiceName=SERVICENAME
The ServiceName uniquely identifies an APPX connection service. When creating (installing) a connection service, the SERVICENAME value may be any string value that conforms to the rules for valid filenames on your server. If this option is omitted when a connection service is being created, the connection service will be created with a default ServiceName based on the following template: "appxd-" followed by the specified TCP/IP port number, e.g. "appx-8060".
>
>
-name, -ServiceName=SERVICENAME
The <nop>ServiceName uniquely identifies an APPX connection service. When creating (installing) a connection service, the SERVICENAME value may be any string value that conforms to the rules for valid filenames on your server. If this option is omitted when a connection service is being created, the connection service will be created with a default <nop>ServiceName based on the following template: "appxd-" followed by the specified TCP/IP port number, e.g. "appx-8060".
  -DisplayName=DISPLAYNAME
Changed:
<
<
The DisplayName is a "user-friendly" descriptive name for a connection service. The DISPLAYNAME value will appear in your system's Services control panel and will be displayed by the ps command. If you don't specify a DISPLAYNAME when a connection service is being created, the connection service will be created with a DISPLAYNAME based on the SERVICENAME.
>
>
The <nop>DisplayName is a "user-friendly" descriptive name for a connection service. The DISPLAYNAME value will appear in your system's Services control panel and will be displayed by the ps command. If you don't specify a DISPLAYNAME when a connection service is being created, the connection service will be created with a DISPLAYNAME based on the SERVICENAME.
  -engine, -AppxExecutable={../appx, PATHNAME}
This option identifies the PATHNAME of the APPX engine that is to be run when initiating an APPX session. The specified PATHNAME may be absolute or it may be relative to directory in which the service configuration file (ini) for the connection service is located. If this option is not specified, the default PATHNAME of "../appx" is used to initiate an APPX session.

-LogDirectory={/tmp, LOGDIR}

Changed:
<
<
When the service is started, two log files are created in the LOGDIR directory - a connection service log file (.log) and a status file (.stat). Both log files have the same name as the ServiceName but one has a file extension of .log and the other has a file extension of .stat. If the LogDirectory option is not specified, the log files are created in the /tmp directory.
>
>
When the service is started, two log files are created in the LOGDIR directory - a connection service log file (.log) and a status file (.stat). Both log files have the same name as the <nop>ServiceName but one has a file extension of .log and the other has a file extension of .stat. If the <nop>LogDirectory option is not specified, the log files are created in the /tmp directory.
  -AM, -AuthenticationMethod={OS-User, Appx-User, HT-User(HTFILENAME)}
This option identifies the method by which the user ID and the password are to be validated when a connection request is received. If 'OS-User' authentication is specified, the user ID and the password are validated by the connection service using the operating system's authentication service. If 'Appx-User' authentication is specified, the user ID and the password are validated by APPX using the user file and auxiliary password which is maintained in APPX System Administration. If 'HT-User(HTFILENAME)' authentication is specified, the user ID and the password are validated by the connection service using the HTFILENAME file is maintained with the htpasswd utility. If you specify 'Appx-User' authentication or HT-User authentication, the user being validated does not need an OS user account. If no authentication method is specified, the default authentication method is OS-User.
Line: 192 to 193
 -ServiceDisableAppxKeys={true, false}
This option can be used to disable the ability to define an APPX keymap. If set to true, those interactive clients which support the ability to define an APPX keymap will not be allowed to do so.
Changed:
<
<
-initScript={lsb, RedHat}
>
>
-initScript={lsb, <nop>RedHat}
 
Used with -install option to specify the type of operating system that the service script is to be created for. If this option is not specified, appxLoginMgr will determine which type of service script to install.

Options - Session Identity/Permissions

-ImpersonateUID={true, false}

Changed:
<
<
If this value is set to false, an APPX session which is initiated by the connection service will run as the user of the connection ServiceOwner. Set this value to true if you want the APPX session to run with the permissions of a user (impersonate) other than the user of the connection service. If this value is set to true, then the ImpersonateUser option determines which user the APPX session should impersonate.
>
>
If this value is set to false, an APPX session which is initiated by the connection service will run as the user of the connection <nop>ServiceOwner. Set this value to true if you want the APPX session to run with the permissions of a user (impersonate) other than the user of the connection service. If this value is set to true, then the <nop>ImpersonateUser option determines which user the APPX session should impersonate.
 
Changed:
<
<
-ImpersonateUser={LogonUser, NamedUser(USERID), ServiceOwner}
>
>
-ImpersonateUser={LogonUser, <nop>NamedUser(USERID), <nop>ServiceOwner}
 
This option determines which O/S user the APPX session should impersonate (run as).
Changed:
<
<
If LogonUser is specified, the user ID of the APPX session will be set to the user ID that was provided by the client login. This user ID must be a valid O/S user. The connection service must be running with the permissions of the root user if the LogonUser option is specified.
>
>
If <nop>LogonUser is specified, the user ID of the APPX session will be set to the user ID that was provided by the client login. This user ID must be a valid O/S user. The connection service must be running with the permissions of the root user if the <nop>LogonUser option is specified.
 
Changed:
<
<
If NamedUser is specified, the user ID of the APPX session will be set to the specified USERID. This USERID must be a valid O/S user. The connection service must be running with the permissions of the root user if the NamedUser option is specified.
>
>
If <nop>NamedUser is specified, the user ID of the APPX session will be set to the specified USERID. This USERID must be a valid O/S user. The connection service must be running with the permissions of the root user if the <nop>NamedUser option is specified.
 
Changed:
<
<
If ServiceOwner is specified, the user ID of the APPX session will be the user ID that the connection service is running as.
>
>
If <nop>ServiceOwner is specified, the user ID of the APPX session will be the user ID that the connection service is running as.
 

-ImpersonateGID={true, false}

Changed:
<
<
If this value is set to false, an APPX session which is initiated by the connection service will run with the group permissions of the connection ServiceOwner. Set this value to true if you want the APPX session to have group permissions based on the ImpersonateGroup option.
>
>
If this value is set to false, an APPX session which is initiated by the connection service will run with the group permissions of the connection <nop>ServiceOwner. Set this value to true if you want the APPX session to have group permissions based on the <nop>ImpersonateGroup option.
 
Changed:
<
<
-ImpersonateGroup={User, LogonUser, LogonGroup, NamedGroup(GROUPNAME), ServiceOwner, ServiceGroup}
>
>
-ImpersonateGroup={User, <nop>LogonUser, <nop>LogonGroup, <nop>NamedGroup(GROUPNAME), <nop>ServiceOwner, <nop>ServiceGroup}
 
This option determines which group permissions the APPX session should run with.

If User is specified, the APPX session will run with the group permissions of the user that the session is running as (impersonating).

Changed:
<
<
If LogonUser or LogonGroup is specified, the APPX session will run with the group permissions of the user ID that the client provided in conjunction with the connection request. The user ID must be a valid O/S user.
>
>
If <nop>LogonUser or <nop>LogonGroup is specified, the APPX session will run with the group permissions of the user ID that the client provided in conjunction with the connection request. The user ID must be a valid O/S user.
 
Changed:
<
<
If NamedGroup is specified, the group permissions of the APPX session will be set to the specified GROUPNAME. This GROUPNAME must be a valid O/S group.
>
>
If <nop>NamedGroup is specified, the group permissions of the APPX session will be set to the specified GROUPNAME. This GROUPNAME must be a valid O/S group.
 
Changed:
<
<
If ServiceOwner or ServiceGroup is specified.
>
>
If <nop>ServiceOwner or <nop>ServiceGroup is specified.
 

-Umask=FILECREATIONMASK

Line: 260 to 261
 
This option is used to tune the network performance of the APPX session. When set to true, TCP will send partially filled packets of data rather than wait for a packet to fill before sending it. This can result in improved interactive response time for the APPX session but will likely increase the number of data packets being transmitted over the network.

-TCPEnableKeepAlive={true, false}

Changed:
<
<
Set this option to true if you want an APPX session to be able to detect that the connection between an APPX session and an APPX client has been lost. If this option is set to true and an APPX session has been waiting for a response from an APPX client for the length of time specified by TCPKeepIdle, then the APPX session will attempt to contact the APPX client to see if it can still be reached. If the APPX client cannot be contacted, then the APPX session will attempt to contact the APPX client every TCPKeepInterval seconds up to TCPKeepCount times. After TCPKeepCount attempts, if the APPX client is unable to be contacted, then the APPX session terminates.
>
>
Set this option to true if you want an APPX session to be able to detect that the connection between an APPX session and an APPX client has been lost. If this option is set to true and an APPX session has been waiting for a response from an APPX client for the length of time specified by <nop>TCPKeepIdle, then the APPX session will attempt to contact the APPX client to see if it can still be reached. If the APPX client cannot be contacted, then the APPX session will attempt to contact the APPX client every <nop>TCPKeepInterval seconds up to <nop>TCPKeepCount times. After <nop>TCPKeepCount attempts, if the APPX client is unable to be contacted, then the APPX session terminates.
  -TCPKeepIdle={300, SECONDS}
This option is used to set the number of seconds that an APPX session is to wait for a response from an APPX client before checking to see if the client can still be contacted.
Line: 288 to 289
 
This option identifies the pathname of the server's X509 certificate (leave blank for anonymous connections).

-ServerPrivateKeyFile=KEYFILENAME

Changed:
<
<
This option identifies the pathname of server's private key file (unlocks the ServerCertificateFile).
>
>
This option identifies the pathname of server's private key file (unlocks the <nop>ServerCertificateFile).
  -RequireSSL={true, false}
This option is not needed and has not been implemented.
Line: 440 to 441
 

The Status File (stat)

Changed:
<
<
When an APPX Connection Service is started, a status file is created in the specified LogDirectory. If a LogDirectory was not specified, then the status file is created in the /tmp directory.
>
>
When an APPX Connection Service is started, a status file is created in the specified <nop>LogDirectory. If a <nop>LogDirectory was not specified, then the status file is created in the /tmp directory.
  The name of the status file is the concatenation of the service name and ".stat". For example, if the service name is "appxd-8430", the name of the status file will be "appxd-8430.stat".
Line: 497 to 498
 

The Log File (log)

Changed:
<
<
When an APPX Connection Service is started, a log file is created in the specified LogDirectory. If a LogDirectory was not specified, then the log file is created in the /tmp directory.
>
>
When an APPX Connection Service is started, a log file is created in the specified <nop>LogDirectory. If a <nop>LogDirectory was not specified, then the log file is created in the /tmp directory.
  The name of the log file is the concatenation of the service name and ".log". For example, if the service name is "appxd-8430", the name of the log file will be "appxd-8430.log".
Line: 550 to 551
 handleClients - waiting
Changed:
<
<
>
>

#RedHatServiceCommand
 

Red Hat service command.

Line: 587 to 588
  This warning message is displayed when you start a service and the engine specified for AppxExecutable has the setuid bit set.
Changed:
<
<
When launching an APPX session, the APPX Login Manager sets the real user ID and the effective user ID of the APPX session based on the value specified for the ImpersonateUser parameter. If the engine has the setuid bit set, then the effective user of the APPX session will be changed by the operating system to be the owner of the APPX engine and the APPX session will run with the permissions of that user.
>
>
When launching an APPX session, the APPX Login Manager sets the real user ID and the effective user ID of the APPX session based on the value specified for the <nop>ImpersonateUser parameter. If the engine has the setuid bit set, then the effective user of the APPX session will be changed by the operating system to be the owner of the APPX engine and the APPX session will run with the permissions of that user.
 
Warning - the engine that you named has the setuid bit enabled, 
you may not want that bit set for the authentication 

Line: 598 to 599
 

Issues:

  1. The stop option of the Red Hat service command has a problem. It does seem to remove the running process; however, it produces errors. Further, it fails to remove the PID from the (/var/run/appx-8060.pid)
    /etc/init.d/appx-8060: line 39: success: command not found
    /etc/init.d/appx-8060: line 39: failure: command not found
    /etc/init.d/appx-8060: line 43: failure: command not found
  2. The setuid warning message is displayed every time a configuration is loaded or saved. This results in the message being displayed up to three times depending on the command being executed. Perhaps it should only be displayed when a configuration is saved.
Changed:
<
<
  1. The setuid warning indicates that it is triggered by the OSUser AuthenticationMethod. AuthenticationMethod is not influenced by the setuid bit being turned on. However, ImpersonateUser is impacted.
>
>
  1. The setuid warning indicates that it is triggered by the OSUser <nop>AuthenticationMethod. <nop>AuthenticationMethod is not influenced by the setuid bit being turned on. However, <nop>ImpersonateUser is impacted.
 

Enhancement Suggestions:

  1. To match the Windows platform, he following should be valid syntax: "appxLoginMgr -install". It should default to port 8060, or the Windows platform should not default to port 8060.
  2. In an effort to make appxdsvc and uappxd (appxLoginMgr) as similar as possible, consider allowing -status as a single argument that would list all appxLoginMgr daemons. (Perhaps this isn't practical on Unix platforms)
  3. APPX_KEYMAP environment variable should be initialized upon default install options. Currently "appxLoginMgr -install -SockPort=8060" does not place APPX_KEYMAP into appxLoginMgr-8060.env.
  4. appxLoginMgr should create .ini and .env files in the tools subdirectory, and not in the current working directory.
Changed:
<
<
  1. The appxLoginMgr -replace argument should require the -ServiceName option, and not assume ServiceName =appx-8060.
>
>
  1. The appxLoginMgr -replace argument should require the -ServiceName option, and not assume <nop>ServiceName =appx-8060.
 
  1. The requirements for use of -name argument seem inconsistent. Below are examples where + works, and - does not.
    1. (-) ./appxLoginMgr -modify appx-8060 -TCPNodelay=false

    2. (+) ./appxLoginMgr -modify -name=appx-8060 -TCPNodelay=false
Line: 657 to 658
  An Appx System administrator can connect to another users disconnected session, if they know the PID of the lost session.
Changed:
<
<
In Release 5.4.4, a list of dropped sessions will be displayed automatically, eliminating the need to remember PID's.
>
>
In Release 5.4.4, a list of dropped sessions can be displayed, eliminating the need to remember PID's.
 

PAM Capable (5.3 & Up)

In Release 5.3, PAM capability was added. See Login Manager PAM Capable for more information.

Added:
>
>

Reconnect Revisited (5.4.4)

To make managing reconnects easier, in 5.4.4 a 'Sessions' button was added to the login dialog box for both APPX Desktop Client and the HTML client. To access the 'Sessions' list, enter your login information as usual and click the 'Sessions' button instead of 'Login'. You can use this even if you have not set up your login manager for reconnections. You won't be able to reconnect to a session, but you will be able to manage other sessions.

You will get a display similar to the following:

sessions.png

The display automatically refreshes every 30 seconds, or you can click 'Refresh' to manually refresh the display. The information on the process currently running is only shown if you have enabled the APPX Monitor (See APPX Monitor for details). If not enabled, those columns will be blank.

If you are an APPX System Administrator, you will see all APPX sessions. If you are not an Administrator, you will only see your own sessions.

New - Starts a new session using your current login information (user, password, server & port).

Attach - This button is only enabled if your login manager has been configured to allow reconnections, in which case the Workstation IDs will be 'PIPE' as in the example above. The second session (on /dev/pts/1) is a character mode session, which you cannot Attach to. If your login manager is not configured for reconnections, then the Workstation ID will be either an IP address (for GUI connections) or a /dev/ address for a character mode connection. Since an APPX System Administrator will see all running sessions, they can Attach to any user's session. A new window will open on the Administrators desktop, and the client window on the users desktop will close (when they attempt to use their session). A non Administrator will only see their own sessions, and therefore can only Attach to their own session.

Kill - This will attempt to cancel the selected session. This will only be successful if you have sufficient O/S permissions to allow it, i.e., you have Administrator level. See .UTIL KILL SESSION for more information.

Exit - This will exit the session manager without logging in to APPX.

 

Comments:

Read what other users have said about this page or add your own comments.


Changed:
<
<
<--/commentPlugin-->
>
>

<--/commentPlugin-->
 

-- Page added by: Steve - 17 Jul 2007

Added:
>
>
META FILEATTACHMENT attachment="sessions.png" attr="h" comment="" date="1456425149" name="sessions.png" path="sessions.png" size="60247" user="JeanNeron" version="1"
 
META TOPICMOVED by="SteveFrizzell" date="1221836690" from="Main.APPXConnectionManagerForUnixLinux" to="Main.APPXLoginManagerForUnixLinux"
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback