Personalizing Smart Cards for use with the Sun Ray Ultra Thin Terminals ----------------------------------------------------------------------- Stoyan Angelov (s_angelov filibeto org), filibeto.org http://www.filibeto.org/~aduritz/truetrue/sunray/srss-sc-pers srss-sc-pers-01; July 8, 2005 These are just quick notes to get you started with personalizing smart cards for use with Sun Rays. Use this at your own risk! The OCF/ocfserv way of personalizing smartcards is used, however Sun also provides a PC/SC bypass package for SRSS that has to be installed additionally. 1. The test platform: * Solaris 10 3/05 SPARC (installed on a Sun Fire v100) * Sun Ray Server Software (SRSS) 3.1 beta release * Sun Ray 1 and Sun Ray 150 terminals * Payflex Smartcards with Sun artwork (Sun P/N: 370-4328-01) 2. Smartcard Features: A Solaris Smartcard provides a more secure method for logging in to the Solaris desktop environment than is provided by the standard UNIX login. Information that is stored on the smart card verifies the identity of the user during login. A user who cannot provide the login information that is on the smart card is denied access to the desktop. The Solaris Smartcard software does the following: * Implements the Smartcard framework * Allows management from the Solaris Smartcard Console or the Solaris command line * Protects login to the desktop environment through PIN authentication * Provides a screen lock, using dtsession or xscreensaver, when a smart card is removed from the card reader The Solaris Smartcard Administration Guide (http://www.filibeto.org/sun/lib/solaris10-docs/816-5182.pdf) gives detailed instructions on how to personalize smart cards for use with a Sun Workstation equipped with built-in or external smart card readers. 3. Starting the Smartcard Console: * Use one of your Sun Ray terminals to login to the Sun Ray Server (where SRSS is installed) * "su" to root * Verify that the ocfserv daemon is enabled: # svcs network/rpc/ocfserv * Enable ocfserv if it is not running: # svcadm enable network/rpc/ocfserv * Start the Smartcard Console # /usr/dt/bin/sdtsmartcardadmin & 4. Sun Ray server Smartcard Reader Driver components: In order for a smart card to be personalized the Sun Ray built-in card reader must be visible in the "Card Readers" menu in the "Navigation" pane. In SRSS 2.0 the postinstall script for the SUNWutscr installs the Sun Ray server Smartcard Reader Driver components in the OCF server, however since the release of SRSS 3.0 this is not the case and for the Sun Ray card reader to be visible in Smartcard Console the drivers must be installed manually. 4.1 Installing the Sun Ray server Smartcard Reader Driver components: * Modifying the OCF Server classpath file /etc/smartcard/ocf.classpath to include the line: /opt/SUNWut/lib/sunrayCTdriver.jar * Modify the /etc/smartcard/opencard.properties file to include the SunRayDTU entry The correct way to do this is by using the /opt/SUNWut/lib/ocf_termadmin utility like this: # /opt/SUNWut/lib/ocf_termadmin -a "com.sun.opencard.terminal.sunray.SunRayCardTerminalFactory|SunRayDTU|SunRayDTU-InternalReader|DTU@" To check if the entry was added successfully type: # /opt/SUNWut/lib/ocf_termadmin -l The output of this command should include a line like: com.sun.opencard.terminal.sunray.SunRayCardTerminalFactory|SunRayDTU|SunRayDTU-InternalReader|DTU@ Trying to use the /opt/SUNWut/lib/ocf_termadmin utility i got the following error: ld.so.1: ./ocf_termadmin: fatal: relocation error: file ./ocf_termadmin: symbol OCF_GetProperty: referenced symbol not found Killed Modifying the /etc/smartcard/opencard.properties file manually resolves this problem. here is the contents of the opencard.properties file that i use: #Thu Jul 07 16:35:42 EEST 2005 ocf.server.authservicelocations=com.sun.opencard.service.auth ocf.client.Desktop.IButton.authmechanism=Pin\=UserPin ocf.client.Desktop.validcards=PayFlex OpenCard.trace=com.sun\:0 opencard.core\:0 ocf.client.default.validcards=CyberFlex IButton PayFlex ocf.server.initializerlocations=com.sun.opencard.cmd.IButtonInit ocf.server.debugging=5 ocf.client.default.authmechanism=Pin\=UserPin ocf.server.debugging.filename=/var/run/ocf.log ocf.server.ocfserv.protocol=rpc ocf.client.Desktop.PayFlex.authmechanism=Pin\=UserPin ocf.server.authmechanism=Pin Password ocf.client.default.defaultaid=A000000062030400 ocf.server.language=en ocf.server.cardservicelocations=com.sun.opencard.service.common ocf.server.IButton.ATR=008F0E0000000000000000000004000034909000 ocf.server.country=US ocf.client.default.defaultcard=PayFlex ocf.server.CyberFlex.ATR=3B169481100601810F 3B169481100601811F ocf.client.Desktop.defaultcard=PayFlex OpenCard.services=com.sun.opencard.service.cyberflex.CyberFlexServiceFactory com.sun.opencard.service.ibutton.IButtonServiceFactory com.sun.opencard.service.payflex.PayFlexServiceFactory ocf.client.Desktop.CyberFlex.authmechanism=Pin\=UserPin ocf.server.PayFlex.ATR=3B6900002494010201000101A9 3B6900005792020101000100A9 3B69110000005792020101000100 OpenCard.terminals=com.sun.opencard.terminal.sunray.SunRayCardTerminalFactory|SunRayDTU|SunRayDTU-InternalReader|DTU@ Notes: * i have increased the ocf.server.debugging value to 5 in order to get more detailed logs. The log file is located in: /var/run/ocf.log as stated in ocf.server.debugging.filename. * i have added the ATR for the Standard Sun Payflex Smartcards (Sun P/N: 370-4328-01) to the ocf.server.PayFlex.ATR line; the ATR is 3B6900002494010201000101A9 and it is printed in the /var/run/ocf.log file when a card is inserted. 4.2 Restarting ocfserv * Exit the Smartcard Console if it is started * Restart ocfserv # svcadm restart network/rpc/ocfserv The ocfserv process is restarted the next time you use the Smartcard Console or execute the smartcard command You can also do: # svcadm disable network/rpc/ocfserv # svcadm enable network/rpc/ocfserv 4.3 Start the Smartcard Console - you should be able to see the "SunRayDTU" card reader in the "Card Readers" menu in the "Navigation" pane of the Smartcard Console 5. Follow the instructions in the Solaris Smartcard Administration Guide on how to: * Load the SolarisAuthApplet * Initialize the Smart Card * Definine Authentication Properties on the Smart Card * Change the default PIN * Enable Desktop Login With the Solaris Smartcard * See also Chapter 2: Setting Up for Smartcard Login http://www.filibeto.org/sun/lib/solaris10-docs/816-5182.pdf 6. /etc/pam.conf entries When CDE is configured for Smartcard login, /etc/pam.conf is modified to include pam_smartcard. For example, when smartcard -c enable is executed, the following lines are inserted at the top of the auth stacks for dtlogin and dtsession: dtlogin auth requisite pam_smartcard.so dtsession auth requisite pam_smartcard.so For the Sun Ray Terminals to work with the peronalized cards i added the following lines to the appropriate sections in the /etc/pam.conf file: xscreensaver auth requisite pam_smartcard.so.1 dtlogin-SunRay auth requisite pam_smartcard.so.1 dtsession-SunRay auth requisite pam_smartcard.so.1 utnsclogin auth requisite pam_smartcard.so.1 utgulogin auth requisite pam_smartcard.so.1 happy card-swapping :P References ---------- Thanx to Alexaner (lamo ccs ru) for his help! [1] Solaris Smartcard Administration Guide (for Solaris 10) http://www.filibeto.org/sun/lib/solaris10-docs/816-5182.pdf [2] Sun Ray Server version 1.3 Patch Update 111891-10 README http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-21-111891-10-1 [3] Sunray-Users Mailing list http://www.filibeto.org/sun/sunray-users/