From Sun Ray User Group Wiki

Note: This article represents the wrong way to use Smart Cards with Sun Ray. It is unsupported.

Contents 1 Personalizing Smart Cards for use with the Sun Ray Ultra Thin Terminals 1.1 The test platform: 1.2 Smartcard Features: 1.3 Starting the Smartcard Console: 1.4 Sun Ray server Smartcard Reader Driver components: 1.4.1 Installing the Sun Ray server Smartcard Reader Driver components: 1.4.2 Restarting ocfserv 1.4.3 Start the Smartcard Console 1.5 Follow the instructions in the Solaris Smartcard Administration Guide on how to: 1.6 /etc/pam.conf entries 1.7 References

Personalizing Smart Cards for use with the Sun Ray Ultra Thin Terminals

These are just quick notes to get you started with personalizing smart cards for use with Sun Rays. Use this at your own risk!
The OCF/ocfserv way of personalizing smartcards is used, however Sun also provides a PC/SC bypass package for SRSS that has to be installed additionally.

The test platform:

• Solaris 10 3/05 SPARC (installed on a Sun Fire v100)
• Sun Ray Server Software (SRSS) 3.1 beta release
• Sun Ray 1 and Sun Ray 150 terminals
• Payflex Smartcards with Sun artwork (Sun P/N: 370-4328-01)

Smartcard Features:

A Solaris Smartcard provides a more secure method for logging in to the Solaris desktop environment than is provided by the standard UNIX login. Information that is stored on the smart card verifies the identity of the user during login. A user who cannot provide the login information that is on the smart card is denied access to the desktop. The Solaris Smartcard software does the following:

• Implements the Smartcard framework
• Allows management from the Solaris Smartcard Console or the Solaris command line
• Protects login to the desktop environment through PIN authentication
• Provides a screen lock, using dtsession or xscreensaver, when a smart card is removed from the card reader

The Solaris Smartcard Administration Guide (http://www.filibeto.org/sun/lib/solaris10-docs/816-5182.pdf) gives detailed instructions on how to personalize smart cards for use with a Sun Workstation equipped with built-in or external smart card readers.

Starting the Smartcard Console:

• Use one of your Sun Ray terminals to login to the Sun Ray Server (where SRSS is installed)
• "su" to root
• Verify that the ocfserv daemon is enabled:

# svcs network/rpc/ocfserv

• Enable ocfserv if it is not running:

# svcadm enable network/rpc/ocfserv

• Start the Smartcard Console

# /usr/dt/bin/sdtsmartcardadmin &

Sun Ray server Smartcard Reader Driver components:

In order for a smart card to be personalized the Sun Ray built-in card reader must be visible in the "Card Readers" menu in the "Navigation" pane.

In SRSS 2.0 the postinstall script for the SUNWutscr installs the Sun Ray server Smartcard Reader Driver components in the OCF server, however since the release of SRSS 3.0 this is not the case and for the Sun Ray card reader to be visible in Smartcard Console the drivers must be installed manually.

Installing the Sun Ray server Smartcard Reader Driver components:

• Modifying the OCF Server classpath file /etc/smartcard/ocf.classpath to include the line:

/opt/SUNWut/lib/sunrayCTdriver.jar

• Modify the /etc/smartcard/opencard.properties file to include the SunRayDTU entry. The correct way to do this is by using the /opt/SUNWut/lib/ocf_termadmin utility:

# /opt/SUNWut/lib/ocf_termadmin -a "com.sun.opencard.terminal.sunray.SunRayCardTerminalFactory|SunRayDTU|SunRayDTU-InternalReader|DTU@"

To check if the entry was added successfully type:

# /opt/SUNWut/lib/ocf_termadmin -l

The output of this command should include a line:

com.sun.opencard.terminal.sunray.SunRayCardTerminalFactory|SunRayDTU|SunRayDTU-InternalReader|DTU@

Trying to use the /opt/SUNWut/lib/ocf_termadmin utility i got the following error:

  
ld.so.1: ./ocf_termadmin: fatal: relocation error: file ./ocf_termadmin: symbol OCF_GetProperty: referenced symbol not found<br>
Killed

Modifying the /etc/smartcard/opencard.properties file manually resolves this problem. here is the contents of the opencard.properties file that i use:

#Thu Jul 07 16:35:42 EEST 2005
ocf.server.authservicelocations=com.sun.opencard.service.auth
ocf.client.Desktop.IButton.authmechanism=Pin\=UserPin
ocf.client.Desktop.validcards=PayFlex
OpenCard.trace=com.sun\:0 opencard.core\:0
ocf.client.default.validcards=CyberFlex IButton PayFlex
ocf.server.initializerlocations=com.sun.opencard.cmd.IButtonInit
ocf.server.debugging=5
ocf.client.default.authmechanism=Pin\=UserPin
ocf.server.debugging.filename=/var/run/ocf.log
ocf.server.ocfserv.protocol=rpc
ocf.client.Desktop.PayFlex.authmechanism=Pin\=UserPin
ocf.server.authmechanism=Pin Password
ocf.client.default.defaultaid=A000000062030400
ocf.server.language=en
ocf.server.cardservicelocations=com.sun.opencard.service.common
ocf.server.IButton.ATR=008F0E0000000000000000000004000034909000
ocf.server.country=US
ocf.client.default.defaultcard=PayFlex
ocf.server.CyberFlex.ATR=3B169481100601810F 3B169481100601811F
ocf.client.Desktop.defaultcard=PayFlex
OpenCard.services=com.sun.opencard.service.cyberflex.CyberFlexServiceFactory com.sun.opencard.service.ibutton.IButtonServiceFactory com.sun.opencard.service.payflex.PayFlexServiceFactory
ocf.client.Desktop.CyberFlex.authmechanism=Pin\=UserPin
ocf.server.PayFlex.ATR=3B6900002494010201000101A9 3B6900005792020101000100A9 3B69110000005792020101000100
OpenCard.terminals=com.sun.opencard.terminal.sunray.SunRayCardTerminalFactory|SunRayDTU|SunRayDTU-InternalReader|DTU@

Notes:

• i have increased the ocf.server.debugging value to 5 in order to get more detailed logs. The log file is located in: /var/run/ocf.log as stated in ocf.server.debugging.filename.
• i have added the ATR for the Standard Sun Payflex Smartcards (Sun P/N: 370-4328-01) to the ocf.server.PayFlex.ATR line; the ATR is 3B6900002494010201000101A9 and it is printed in the /var/run/ocf.log file when a card is inserted.

Restarting ocfserv

• Exit the Smartcard Console if it is started
• Restart ocfserv

# svcadm restart network/rpc/ocfserv

The ocfserv process is restarted the next time you use the Smartcard Console or execute the smartcard command

You can also do:

# svcadm disable network/rpc/ocfserv
# svcadm enable network/rpc/ocfserv

Start the Smartcard Console

You should be able to see the "SunRayDTU" card reader in the "Card Readers" menu in the "Navigation" pane of the Smartcard Console

Follow the instructions in the Solaris Smartcard Administration Guide on how to:

• Load the SolarisAuthApplet
• Initialize the Smart Card
• Definine Authentication Properties on the Smart Card
• Change the default PIN
• Enable Desktop Login With the Solaris Smartcard

• See also Chapter 2: Setting Up for Smartcard Login http://www.filibeto.org/sun/lib/solaris10-docs/816-5182.pdf

/etc/pam.conf entries

When CDE is configured for Smartcard login, /etc/pam.conf is modified to include pam_smartcard.

For example, when smartcard -c enable is executed, the following lines are inserted at the top of the auth stacks for dtlogin and dtsession:

dtlogin auth requisite pam_smartcard.so
dtsession auth requisite pam_smartcard.so

For the Sun Ray Terminals to work with the peronalized cards i added the following lines to the appropriate sections in the /etc/pam.conf file:

xscreensaver auth requisite pam_smartcard.so.1
		
dtlogin-SunRay auth requisite pam_smartcard.so.1
		
dtsession-SunRay auth requisite pam_smartcard.so.1
		
utnsclogin auth requisite pam_smartcard.so.1
		
utgulogin  auth requisite pam_smartcard.so.1

Sample pam.conf can be found here

happy card-swapping :P
Aduritz 01:49, 14 Aug 2005 (EEST)

References

Thanx to Alexaner (lamo <at> ccs <dot> ru) for his help!

• Solaris Smartcard Administration Guide (for Solaris 10): http://www.filibeto.org/sun/lib/solaris10-docs/816-5182.pdf

• Sun Ray Server version 1.3 Patch Update 111891-10 README: http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-21-111891-10-1

• Sunray-Users Mailing list: http://www.filibeto.org/sun/sunray-users/