Chapter 1 Solaris Smart Cards (Overview)

This chapter provides an overview of Solaris Smart Card features, supported smart cards and card readers, and planning information.

This is a list of the topics in this chapter.

• "Solaris Smart Card Features"

• "Solaris Smart Card Requirements"

• "What Happens During a Smart Card Login"

• "High-Level View of Setting Up a Smart Card (Task Map)"

• "Smart Cards Package Descriptions"

Solaris Smart Card Features

Solaris Smart Cards enables secure login to the Solaris desktop environment or other applications by using a smart card. Information stored on the smart card verifies the identity of the user during login. Users who cannot provide the same login information that is on the smart card are denied access to the application.

The Solaris Smart Cards software:

• Implements the open card framework (OCF) 1.1 standard for smart cards

• Supports a variety of card readers

• Supports three widely used smart cards

• Allows management from the SmartCard Console or the Solaris command line

• Protects login to the desktop environment or other applications, through use of the password, PIN, and challenge-response authentication methods

• Lets a user store security credentials directly onto the card (Java cards only)

Solaris Smart Card Requirements

You need the following to use the Solaris Smart Cards software:

• A SPARC system running the Solaris 8 release.

• A supported internal or external card and smart cards. See the next section for a list of supported smart cards and readers.

Supported Smart Cards and Readers

Solaris Smart Cards supports the following smart cards and card readers.

Table 1-1 Supported Smart Card Types

Card Type	Description	Card Reader Used
iButton	JavaTM iButton smart card	iButton reader
Cyberflex	Java smart card	SunTM SCRI External Card Reader 1, Sun SCRI Internal Card Reader 1
Payflex	Non-Java smart card	Sun SCRI External Card Reader 1, Sun SCRI Internal Card Reader 1

What Happens During a Smart Card Login

Smart cards let users log in to a secure desktop environment or protected application that otherwise would be closed to them. The following sequence explains what happens when someone logs in to a system protected by the default Smart Cards configuration:

1. The user inserts the card into the card reader attached to the system.

2. The user attempts to run a protected application, typically the Solaris desktop; other applications can be protected by smart cards, as well.

3. The application prompts the user to type the user's personal identification number (PIN), and then compares the typed PIN with the PIN stored on the card.

4. If the typed PIN and the PIN stored on the card match, the application then searches the password database specified in the system's /etc/nsswitch.conf file (NIS, NIS+, or local files) for this password.

5. If the application finds this password in the system's password database, it considers the user authenticated and logs in the user.

Planning Your Smart Card Configuration

Before purchasing smart cards and card readers, consider your site's need for authenticated logins. Your site's reason for using smart cards might be:

• To keep systems in a particular department or domain secure from unauthorized access

• To limit access to a protected application to authorized users only

Before setting up a system for smart cards, you need to complete several preparatory tasks. Use the following checklist to verify that you have completed these tasks.

Table 1-2 Smart Card Planning Checklist

Check When Done	Task Description
	1. Determine the types of card readers and smart cards your site will use. See "Supported Smart Cards and Readers" for more information.
	2. Identify the systems that need secure login through smart cards.
	3. Identify the applications that must be protected by smart card authentication.
	4. Obtain the login names of users who need smart cards.

High-Level View of Setting Up a Smart Card (Task Map)

After you have reviewed the smart card planning checklist, use this task map to identify all the tasks for setting up a smart card. Each task in this map points to a series of additional tasks such as installing the Solaris 8 release, adding the card reader, and setting up a smart card.

Table 1-3 High-Level View of Setting a Smart Card (Task Map)

Task	Description	Instructions
1. Install the Solaris 8 software	Install the Solaris 8 release on all systems that will use smart cards.	Solaris 8 (SPARC Platform Edition) Installation Guide
2. Start the SmartCard Console	Start the SmartCard Console for performing smart card setup tasks.	Chapter 2, Getting Started With Solaris Smart Cards (Tasks)
3. Attach Card Reader	Physically attach and configure the card reader on each system that will use smart cards, unless you are using an internal card reader.	Chapter 3, Setting Up a Card Reader (Tasks)
4. Set Up a Smart Card	Specify card-specific information and default authentication. Then enable smart card operations.	Chapter 5, Setting Up a Smart Card (Tasks)
5. Configure Additional OCF Server and Client Authentication	Optional Change the server and client properties if the default values do not suit your security needs.	Chapter 7, Additional OCF Server and Client Configuration (Tasks)

Smart Cards Package Descriptions

The following table lists the Solaris Smart Cards packages added during a Solaris 8 installation.

Table 1-4 Solaris Smart Cards Packages

Package Name	Description
SUNWjcom	Java Communications API for smart card support - Java code and Native code
SUNWjcomx	Java Communications API for smart card support - Native code (64-bit)
SUNWjib	Dallas Semiconductor serial iButton OCF Card Terminal Driver
SUNWocf	Open Card Framework - core libraries and utilities
SUNWocfr	Open Card Framework - configuration files
SUNWocfh	Open Card Framework - header files
SUNWocfx	Open Card Framework - core libraries (64-bit)
SUNWpamsc	Pluggable Authentication Module for smart card authentication
SUNWpamsx	Pluggable Authentication Module for smart card authentication (64-bit)
SUNWscgui	Solaris Smart Cards graphical user interface (GUI)
SUNWscmos	Pluggable Authentication Module for smart-card authentication
SUNWscmsc	Sun SCRI OCF Card Terminal Driver

Should you need to remove a package, use the standard pkgrm command. Reinstall the package using the pkgadd command.

See "Software Administration (Tasks)" in the System Administration Guide, Volume 1 for information on using these commands.