Citrix ICA client question

Hello,

I wish to log on to our system at work from home. I have the crypto card and correct address, my usename and password. I have installed Citrix ICA client but when I try to log on to work through the secure website, I receive the message: “you have not chosen to ‘entrust.net Security Server Certification Authority’, the issuer of the server’s security certificate.”

Can anyone tell me how to correct this problem? It used to work. And my Windows XP office computer works. I am running Linux 11.2. Our help desk has not helped as they are familiar with Windows not Linux.

Hope you can help.

Thanks

Mark

heseltine wrote:
> Hello,
>
> I wish to log on to our system at work from home. I have the crypto
> card and correct address, my usename and password. I have installed
> Citrix ICA client but when I try to log on to work through the secure
> website, I receive the message: “you have not chosen to ‘entrust.net
> Security Server Certification Authority’, the issuer of the server’s
> security certificate.”
>
> Can anyone tell me how to correct this problem? It used to work. And my
> Windows XP office computer works. I am running Linux 11.2. Our help desk
> has not helped as they are familiar with Windows not Linux.

ICAClient stores its Root Authority files at:
/usr/lib/ICAClient/keystore

If you have the root auth cert for your
entrust certs, try putting that there.

Hello CJ, thank you for the reply.

I’ve found the certs in thekeystore at ICACLient where the client is installed. So, I copied them (as root) to
/usr/lib/ICAClient/keystore

I then tried to import the certs via Kleopatra. It would not import the SecureServer.crt but would import the others there. The message I receive when trying to run a programme from the server is that I have not accepted the 'entrust.net security server cert.

So I am clearly operating blindly (not good). If Windows will let me log on to the work server using ICAClient after downloading the ICA client and without configuring, then I suspect it ought to work in Suse. It is a matter of figuring it out.

So, what would you suggest? Does the cert originate at the destination server? If so, how do I set Suse to accept it when it is offered (assuming it is offered after I log on and try to run a programme). Is the answer to be found using the Kleopatra programme?

Hope you can help.

Regards,
Mark

On Thu, 2010-01-21 at 05:06 +0000, heseltine wrote:
> Hello CJ, thank you for the reply.
>
> I’ve found the certs in thekeystore at ICACLient where the client is
> installed. So, I copied them (as root) to
> /usr/lib/ICAClient/keystore
>
> I then tried to import the certs via Kleopatra. It would not import the
> SecureServer.crt but would import the others there. The message I
> receive when trying to run a programme from the server is that I have
> not accepted the 'entrust.net security server cert.

My guess is that you NEED to trust entrust as a root CA. That means
you’d have to add an entrust certificate to the directory so that
certs are ‘ok’ if they come from that CA.

Check here for the certificates for entrust…

http://www.entrust.net/developer/index.cfm

One or more of these needs to be in that directory (if I’m
right about the problem).

Hello, CJ,

It worked. I don’t know how I did it, but I found the SSL cert and downloaded it to the cert store directory, and then had Kleopatra import it. It was a bit tricky as it did not work on first effort so I can’t positively list the steps. Needless to say, there is a bit of ‘fuzzy logic’ involved (ie muddling through) which seems to have worked.

Many thanks.

By the way, I love the image of you - with that look of incredulity. I can just see you giving me that look as you read my post while shaking your head. :wink:

thank you,

Regards,

Mark

On Fri, 2010-01-22 at 01:56 +0000, heseltine wrote:

> Many thanks.

You’re welcome.

>
> By the way, I love the image of you - with that look of incredulity. I
> can just see you giving me that look as you read my post while shaking
> your head. :wink:

My daughter takes great pictures of me that make me appear “not so fat”.

Hi I have installed Citrix ICA Client, and set firefox to open ICA files with Citrix ICA Client, but when I try to open an application from ITFarm.co.uk it says nothing is installed to handle ICA clients should firefox try to install a plugin to handle this kind of file?

(I think the company are using ICA 9 and I downloaded ICA 11) does it make any difference?

Many Thanks
Stuart

I post a list of all the steps I took to install a Citrix Client and to communicate with my work place. Some of the steps may help you.

  1. Dependency:
    OpenMotif v2.3.1 or higher

  2. Download Citrix client

Citrix Systems » Citrix Downloads » XenApp » Citrix Clients

download the tar file and untar the file

  1. ./setupwfc

This will run the installation script as root. Answer the questions and it is done. Say yes to integration to kde/gnome and to the browser.

  1. log on to my.work.org (of course use your work place instead)

  2. After loading the application from my my.work.org

The next screen will ask you to download the Citrix client if you do not have it or continue. Choose < Continue>

Few alternatives on the next screen.:

a. if a windows comes saying <open browse> means that the system does not know with which application to open the file so you have to point to the correct application which is

/usr/lib/ICAClient/wfica

b. if may load the client but with an error something like

“You have chose not to trust Equifax Secure Certificate Authority, the issuer of the server’s security certificate.”

You have the certificate but the client can not see it.

So just download the certificates:
Download Root Certificates - GeoTrust

Root 1 - Equifax Secure Certificate Authority
Root 2 - GeoTrust Global CA

Move the certificates.cer and change the extensions to certificates.crt

Copy .crt file into /usr/lib/ICACleint/keystore/cacerts

Change the permission to 777

#chmod 777 -R /usr/lib/ICAClient/keystore/cacerts

Now close firefox and opens it again and you should be fine.

Regards

-=terry=-