Sun and OracleChannel SunHow to BuyLog InDeutsch

Solaris Smart Cards Administration Guide
  Suchtext Nur in diesem Buch
Suche Hilfe
Sehen Sie dieses Buch:
Innerhalb
Nach weiteren Dokumenten suchen
Support-Ressourcen

Chapter 6 Additional OCF Server and Client Configuration (Overview)

This chapter provides an overview of ocfserv and client configuration that you might want to be change after initially setting up a smart card.

This is list of the topics in this chapter.

Solaris Smart Cards includes a group of properties that you might change for each system to define how ocfserv and client applications should operate.

Changing OCF Server Properties From the Console

ocfserv handles smart card operations on the system. Change ocfserv properties as needed from the SmartCard Console using the following basic steps.

  1. Click the OCF Server icon on the Navigation pane.

  2. Double-click the icon representing the local system to display the OCF Server Configuration dialog box.

  3. Use the OCF Server Configuration dialog box to define OCF server properties.

    These properties define defaults for server operations, which prevail unless they are overwritten by properties defined for the client applications.

    The OCF Server Configuration dialog box contains three folders:

    • Resources - Use the Resources folder to define the properties that govern the default operation of the OCF server on the local system. The folder includes an Available Resources list and a Defaults list.

    • Debug - Use the Debug folder if you want to set up the debugging property for the OCF server. The debug property is optional.

    • Classpath - Use the Classpath folder to add or delete a .jar file known to the OCF server.

    For information on using the SmartCard Console, see "Using the SmartCard Console".

OCF Server Properties Overview

This section provides an overview of ocfserv properties that you can change if the default properties do not suit your site. You might need to change these properties if:

  • They do not entirely support the security needs of your site.

  • Your smart card or card reader manufacturer updates its product, and changes the product's ATR number, card terminal factory names, or other information.

  • Developers at your site create custom applications that require you to add security properties.

See Chapter 7, Additional OCF Server and Client Configuration (Tasks) for step-by-step instructions on changing these properties.

This following sections describes each ocfserv property and provide the default value of each property. You can view these properties in the SmartCard Console or with the smartcard -c admin command.

Valid Smart Cards and Default Smart Card Server Properties

The ocf.server.default.validcards property specifies which smart card types are valid on the system. By default, all three smart card types are valid.

See "How to Change the Valid Smart Cards for the Server (Console)" for step-by-step instructions on changing this property.

The ocf.client.default.defaultcard property specifies to ocfserv which card is the default smart card. By default, Solaris Smart Cards has no default smart card.

See "How to Change the Default Smart Card for the Server (Console)" for step-by-step instructions on changing this property.

Supported Card Readers Property

The OpenCard.terminals property defines the card readers supported by the system. For example, for a system with a Sun SCRI External Card Reader 1, the value for OpenCard.terminals is:


OpenCard.terminals         = com.sun.opencard.terminal.scm.SCMStc
.SCMStcCardTerminalFactory|MySCM|SunSCRI|dev/cua/b

Here OpenCard.terminals defines the Sun SCRI External Card Reader 1 as the currently configured reader. The smartcard -c admin command displays the OpenCard.terminals property only after you have added a card reader.

For instructions on adding a card reader, see Chapter 3, Setting Up a Card Reader (Tasks).

Open Card Services Property

The OpenCard.services property specifies the location of the card-specific modules. Each smart card type has the following modules defined: 


OpenCard.services          = com.sun.opencard.service.cyberflex.CyberFlex
ServiceFactory com.sun.opencard.service.ibutton.IButtonServiceFactory com.
sun.opencard.service.payflex.PayFlexServiceFactory

For instructions on activating or deactivating card services, see "How to Deactivate or Activate Card Services (Console)".

Private-Key Property

To use this feature of Solaris Smart Cards, you must have a public-key infrastructure (PKI) set up at your site. See "How to Create a Private Key on a Smart Card (Command Line)" for step-by-step instructions on creating a private key on a smart card.

Note -

You can store only one private key on a smart card.

How the Private Key Property Works

After authenticating the PIN and password on the smart card, ocfserv copies the file specified in key_file_name to the smart card. Thereafter, the private key is available on the card for signing data as an additional form of authentication. When the user runs a command for signing data, such as amisign from AMI, the command uses the private key on the user's smart card to create the signed data.

Depending on your site's policies, you might want to delete the user's private-key file from the system where it is stored. Thereafter, the private key exists only on the user's smart card.

Additional OCF Server Properties

The following table describes properties that you should not change.

Table 6-1 Do Not Change These OCF Server Properties

Property Name 

Property Definition 

initializerlocations

The location of the Java Class directory containing the applet initializer: 

initializerlocations = com.sun.opencard.cmd.IButtonInit

cardservicelocations

The location of the Java Class directory where the card service module is located: 

cardservicelocations = com.sun.opencard.service.common

ocfserv.protocol

The TCP protocol used by ocfserv:

ocfserv.protocol = rpc

authservicelocations

The location of the Java Class directory containing the authentication module: 

authservicelocations = com.sun.opencard.service.auth

Changing OCF Client Properties From the Console

Change OCF client properties as needed from the SmartCard Console using the following basic steps.

  1. Click the OCF Clients icon in the Navigation pane.

  2. Double-click the CDE icon in the Navigation pane.

  3. Use the Configure Clients: CDE dialog box to change client properties.

    The Configure Clients dialog box contains four folders:

    • Cards/Authentications -- Use the Cards/Authentications folder to define valid smart cards for use with the client application and the authentication sequence.

    • Defaults -- Use the Defaults folder to define default properties for the client application.

      This folder contains some of the same options as you used to define defaults for ocfserv, but this time the defaults are for the client.

    • Timeouts -- Use the Timeouts folder to determine the length of time the application waits after a card is removed before restarting the authentication process.

    • Options -- Use the Options folder to define client application behavior when a smart card is removed while the client application is running.

    For information on using the SmartCard Console, see "Using the SmartCard Console".

OCF Client Properties Overview

This section describes the client properties that you might want to change based on your smart card configuration. You can view these properties in the SmartCard Console or with the smartcard -c admin command.

The following properties are defined by default for the OCF client.


ClientName.PropertyName     Value
  -----------------------     -----
  default.validcards        = CyberFlex IButton PayFlex
  default.authmechanism     = Pin=UserPin
  default.defaultaid        = A000000062030400

Default Smart Card and Card Reader for the Client

The ocf.client.defaultcard property defines a specific card type (among all valid card types) that must be used with the client application. The card types supported by Solaris Smart Cards include:

  • Payflex

  • iButton

  • Cyberflex

  • OCF Server Default - This value tells the client application to use the same value setup as the default smart card for the OCF server.

Use the Available Resource: Card Reader category to define a default smart card reader to be recognized by the client application.

See "How to Define the Default Smart Card for the Client (Console)" and "How to Define the Default Smart Card Reader for the Client (Console)" for step-by-step instructions on changing these properties.

Valid and Default Card Types for Client Applications

Two card properties designate which smart card types the user must use to log in to a particular client application, or to all client applications on the system: defaultcard and validcards.

The validcards property specifies all smart card types that are valid for a particular application. In contrast, the defaultcard tells the application to wait until the card defined as the default card is loaded into the reader.

For example, suppose you specify iButton, Cyberflex, and CardA as the validcards properties for Application B. Then you specify Cyberflex as the defaultcard property. If Application B accepts only its default card and the user tries to log in to Application B with CardA, then the system displays the message: 


Waiting for Default Card

Login to Application B is blocked until the user inserts a Cyberflex card into the reader.

When you run smartcard -c admin, these values are displayed:


default.validcards        = CyberFlex IButton PayFlex

See "How to Change the Valid Smart Cards for a Client Application (Command Line)" and "How to Assign a Default Smart Card to a Client Application (Command Line)" for step-by-step instructions on changing these properties.

Default Authentication Mechanism for Client Applications

The default.authmechanism property specifies the default authentication mechanism for all client applications. The default for all client applications is Pin=UserPin. You also can use authmechanism to define the authentication mechanism to be used for a specific client application.

See "How to Set Up the Default Authentication Mechanism for the Server and Client Applications (Command Line)" for step-by-step instructions on setting the default authentication mechanism for all client applications.

Default Client Authentication Sequence for Valid Cards

The ocf.client.default.authmechanism property determines the default authentication sequence used for all valid cards during login to the client application.

The Smart Cards Used checklist, available from the Configure Clients: CDE dialog box, shows all smart card types currently activated for ocfserv.

The card_name Authentications list shows the available authentication mechanisms for the card type you selected from the Smart Cards Used list.

The order of authentication mechanisms in the card_name Authentications list is the actual order of the authentication sequence that the ocfserv tries when a user accesses this client application.

See "How to Change the Default Client Authentication Sequence for Valid Cards (Console)" for step-by-step instructions for changing this property.

Default Client Applet Identification Property

The default.defaultaid property is an ID number assigned to the default smart card applet that runs for every application. The default ID number shown by smartcard -c admin is:


default.defaultaid        = A000000062030400

This value is the AID property for SolarisAuthApplet, the default applet run by Solaris Smart Cards.

Change the defaultaid property only if you need to replace it with an applet custom built for your site. In this instance, refer to the smartcard(1M) man page for help.

Changing Client Application and Card Removal Timeouts

Use the Timeouts folder to determine the amount of time the client application waits after a card is removed before restarting the authentication process.

  • Card Removal Timeout - Designates the amount of time the application must wait after card removal before starting re-authentication.

  • Re-authentication Timeout - Designates the amount of time the application must wait for re-authentication before either exiting or displaying an error message.

  • Card Removal Logout Wait Timeout - Designates the amount of time the application must wait between card removal and logging out the user.

See "How to Define Client Application and Card Removal Timeouts (Console)" for step-by-step instructions.

Changing Client Application Behavior When a Card is Removed

Use the Options folder to define client application behavior when a user removes a smart card while the client application is running.

  • Ignore Card Removal - Determines whether the application continues to run, even though the card is removed.

  • Re-authenticate After Card Removal - Determines whether the application restarts the authentication process and prompts for required information, such as a PIN or password, if required. If you choose Re-authentication, return to the Timeouts folder and be sure that the Re-Authentication Timeout is set.

See "How to Change the Client Application Behavior When a Card is Removed (Console)" for step-by-step instructions.