You base the property settings of each smart card on the user's requirements, your site's security policies, and the limitations of the type of smart card used. Use the Configure Applets dialog box to define corresponding properties for each smart card. The client and server programs on the system read the properties on the smart card to determine whether to give the user access to a particular application.
These properties apply only to cards that have been initialized with the SolarisAuthApplet applet provided with Solaris Smartcard. If your site uses a different smart card applet, the available properties might differ. Refer to the smartcard(1M) man page for more information.
The PIN property is an authentication property that defines a personal identification number (PIN) for the card. The default PIN that is created on the card is $$$$java. Either you or the user can change $$$$java to a personalized PIN. Consider giving all users at your site the same default PIN name: changeme, for example. Then make sure each user changes the PIN to a value that is known only to that user.
See To Change the PIN on a Card (Console) for step-by-step instructions on changing the PIN on a smart card.
The user and password properties are authentication properties that identify the user and associate the user with the smart card's PIN. To set these properties, you must know the user's login name and password.
On systems that use the default authentication mechanism of PIN, ocfserv verifies the authenticity of the PIN. Next, ocfserv reads the user and password properties on the card. If the password on the smart card matches the user's entry in the system's password database, ocfserv gives the user access to the application.
Use the application authentication property to designate which applications the user needs to log in to with a login name and password. The application authentication property is called a “user profile” in the Smartcard Console. For example, to require a smart card login to the desktop, specify dtlogin as the application associated with the login name and password on the card. You can also require a smart card login for an application specific to your site, such as a financial package or a personnel database. To require a smart card login for such an application, specify its name as the application property.
Before initializing an application on the card, find out which applications a user needs to access through smart card authentication. This step is particularly important when preparing a smart card for anyone who needs to log in to an application as root or another restricted login name.
PayFlex cards do not support multiple profiles. PayFlex cards cannot be used in cases where a user needs to log in to the desktop and to one or more secure applications. PayFlex cards cannot be used with multiple user names.
A000000062030400 – The SolarisAuthApplet applet
'$$$$java' – The default PIN for this card, which user Ed can change later
dtlogin – The application that requires the smart card login
ed – The name that Ed must provide to log in to the desktop
xx – The password that Ed must type to log in to the desktop
The preceding information would be typed on the command line, as follows:
# smartcard -c init -A A000000062030400 -P '$$$$java' application=dtlogin user=ed password=xx
When Ed inserts his card into the reader and tries to log in to the desktop (dtlogin), ocfserv reads the card to determine whether any authentication properties are associated with dtlogin. The ocfserv server finds that the user and password properties are associated with dtlogin.
The ocfserv server prompts Ed for his PIN. The typed PIN is compared with the PIN that is stored on the smart card that is assigned to the dtlogin application. Also, ocfserv uses the login name and password on Ed's card, along with the passwords in the system's password database, to verify that Ed is who he claims to be. If these properties match, Ed is logged in to the desktop.