Personalizing Smart Cards for use with the Sun Ray Ultra Thin Terminals
-----------------------------------------------------------------------
Stoyan Angelov (s_angelov <at> filibeto <dot> org), filibeto.org
http://www.filibeto.org/~aduritz/truetrue/sunray/srss-sc-pers
srss-sc-pers-01; July 8, 2005
These are just quick notes to get you started with personalizing smart cards for use with Sun Rays.
Use this at your own risk!
The OCF/ocfserv way of personalizing smartcards is used, however Sun also provides a PC/SC bypass
package for SRSS that has to be installed additionally.
1. The test platform:
* Solaris 10 3/05 SPARC (installed on a Sun Fire v100)
* Sun Ray Server Software (SRSS) 3.1 beta release
* Sun Ray 1 and Sun Ray 150 terminals
* Payflex Smartcards with Sun artwork (Sun P/N: 370-4328-01)
2. Smartcard Features:
A Solaris Smartcard provides a more secure method for logging in to the Solaris desktop environment
than is provided by the standard UNIX login. Information that is stored on the smart card verifies
the identity of the user during login. A user who cannot provide the login information that is on the
smart card is denied access to the desktop. The Solaris Smartcard software does the following:
* Implements the Smartcard framework
* Allows management from the Solaris Smartcard Console or the Solaris command line
* Protects login to the desktop environment through PIN authentication
* Provides a screen lock, using dtsession or xscreensaver, when a smart card is removed from
the card reader
The Solaris Smartcard Administration Guide (http://www.filibeto.org/sun/lib/solaris10-docs/816-5182.pdf)
gives detailed instructions on how to personalize smart cards for use with a Sun Workstation equipped with
built-in or external smart card readers.
3. Starting the Smartcard Console:
* Use one of your Sun Ray terminals to login to the Sun Ray Server (where SRSS is installed)
* "su" to root
* Verify that the ocfserv daemon is enabled:
# svcs network/rpc/ocfserv
* Enable ocfserv if it is not running:
# svcadm enable network/rpc/ocfserv
* Start the Smartcard Console
# /usr/dt/bin/sdtsmartcardadmin &
4. Sun Ray server Smartcard Reader Driver components:
In order for a smart card to be personalized the Sun Ray built-in card reader must be visible in the
"Card Readers" menu in the "Navigation" pane.
In SRSS 2.0 the postinstall script for the SUNWutscr installs the Sun Ray server Smartcard Reader Driver
components in the OCF server, however since the release of SRSS 3.0 this is not the case and for the Sun Ray
card reader to be visible in Smartcard Console the drivers must be installed manually.
4.1 Installing the Sun Ray server Smartcard Reader Driver components:
* Modifying the OCF Server classpath file /etc/smartcard/ocf.classpath to include the line:
/opt/SUNWut/lib/sunrayCTdriver.jar
* Modify the /etc/smartcard/opencard.properties file to include the SunRayDTU entry
The correct way to do this is by using the /opt/SUNWut/lib/ocf_termadmin utility like this:
# /opt/SUNWut/lib/ocf_termadmin -a "com.sun.opencard.terminal.sunray.SunRayCardTerminalFactory|SunRayDTU|SunRayDTU-InternalReader|DTU@"
To check if the entry was added successfully type:
# /opt/SUNWut/lib/ocf_termadmin -l
The output of this command should include a line like:
com.sun.opencard.terminal.sunray.SunRayCardTerminalFactory|SunRayDTU|SunRayDTU-InternalReader|DTU@
Trying to use the /opt/SUNWut/lib/ocf_termadmin utility i got the following error:
ld.so.1: ./ocf_termadmin: fatal: relocation error: file ./ocf_termadmin: symbol OCF_GetProperty: referenced symbol not found
Killed
Modifying the /etc/smartcard/opencard.properties file manually resolves this problem. here is the
contents of the opencard.properties file that i use:
#Thu Jul 07 16:35:42 EEST 2005
ocf.server.authservicelocations=com.sun.opencard.service.auth
ocf.client.Desktop.IButton.authmechanism=Pin\=UserPin
ocf.client.Desktop.validcards=PayFlex
OpenCard.trace=com.sun\:0 opencard.core\:0
ocf.client.default.validcards=CyberFlex IButton PayFlex
ocf.server.initializerlocations=com.sun.opencard.cmd.IButtonInit
ocf.server.debugging=5
ocf.client.default.authmechanism=Pin\=UserPin
ocf.server.debugging.filename=/var/run/ocf.log
ocf.server.ocfserv.protocol=rpc
ocf.client.Desktop.PayFlex.authmechanism=Pin\=UserPin
ocf.server.authmechanism=Pin Password
ocf.client.default.defaultaid=A000000062030400
ocf.server.language=en
ocf.server.cardservicelocations=com.sun.opencard.service.common
ocf.server.IButton.ATR=008F0E0000000000000000000004000034909000
ocf.server.country=US
ocf.client.default.defaultcard=PayFlex
ocf.server.CyberFlex.ATR=3B169481100601810F 3B169481100601811F
ocf.client.Desktop.defaultcard=PayFlex
OpenCard.services=com.sun.opencard.service.cyberflex.CyberFlexServiceFactory com.sun.opencard.service.ibutton.IButtonServiceFactory com.sun.opencard.service.payflex.PayFlexServiceFactory
ocf.client.Desktop.CyberFlex.authmechanism=Pin\=UserPin
ocf.server.PayFlex.ATR=3B6900002494010201000101A9 3B6900005792020101000100A9 3B69110000005792020101000100
OpenCard.terminals=com.sun.opencard.terminal.sunray.SunRayCardTerminalFactory|SunRayDTU|SunRayDTU-InternalReader|DTU@
Notes:
* i have increased the ocf.server.debugging value to 5 in order to get more detailed logs. The
log file is located in: /var/run/ocf.log as stated in ocf.server.debugging.filename.
* i have added the ATR for the Standard Sun Payflex Smartcards (Sun P/N: 370-4328-01) to the
ocf.server.PayFlex.ATR line; the ATR is 3B6900002494010201000101A9 and it is printed in the
/var/run/ocf.log file when a card is inserted.
4.2 Restarting ocfserv
* Exit the Smartcard Console if it is started
* Restart ocfserv
# svcadm restart network/rpc/ocfserv
The ocfserv process is restarted the next time you use the Smartcard Console or execute the
smartcard command
You can also do:
# svcadm disable network/rpc/ocfserv
# svcadm enable network/rpc/ocfserv
4.3 Start the Smartcard Console - you should be able to see the "SunRayDTU" card reader in the "Card Readers"
menu in the "Navigation" pane of the Smartcard Console
5. Follow the instructions in the Solaris Smartcard Administration Guide on how to:
* Load the SolarisAuthApplet
* Initialize the Smart Card
* Definine Authentication Properties on the Smart Card
* Change the default PIN
* Enable Desktop Login With the Solaris Smartcard
* See also Chapter 2: Setting Up for Smartcard Login
http://www.filibeto.org/sun/lib/solaris10-docs/816-5182.pdf
6. /etc/pam.conf entries
When CDE is configured for Smartcard login, /etc/pam.conf is modified to include pam_smartcard.
For example, when smartcard -c enable is executed, the following lines are inserted at the top of
the auth stacks for dtlogin and dtsession:
dtlogin auth requisite pam_smartcard.so
dtsession auth requisite pam_smartcard.so
For the Sun Ray Terminals to work with the peronalized cards i added the following lines to the
appropriate sections in the /etc/pam.conf file:
xscreensaver auth requisite pam_smartcard.so.1
dtlogin-SunRay auth requisite pam_smartcard.so.1
dtsession-SunRay auth requisite pam_smartcard.so.1
utnsclogin auth requisite pam_smartcard.so.1
utgulogin auth requisite pam_smartcard.so.1
happy card-swapping :P
References
----------
Thanx to Alexaner (lamo <at> ccs <dot> ru) for his help!
[1] Solaris Smartcard Administration Guide (for Solaris 10)
http://www.filibeto.org/sun/lib/solaris10-docs/816-5182.pdf
[2] Sun Ray Server version 1.3 Patch Update 111891-10 README
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-21-111891-10-1
[3] Sunray-Users Mailing list
http://www.filibeto.org/sun/sunray-users/