This procedure is required if a client receives a Keyerror (49) or Session Refused (50) icon due to conflicting or unconfirmed keys. Once the key is confirmed, you must disconnect the client by rebooting or inserting and removing a smart card to access a session after the change.
View the unconfirmed keys (key fingerprints) for all or specific clients.
To determine whether an unconfirmed client key really belongs to that client, display the key fingerprint for the client by pressing Stop-K.
# utkeyadm -a -c IEEE802.000000ee0d6b 1 key confirmed . # utkeyadm -a -c IEEE802.00000f85f52f -k 1c:d4:b9:31:9d:f0:00:ba:db:ad:65:6c:8e:80:4d:b3 1 key confirmed .
If you are certain that all clients requiring key confirmation have been connected to the server group (their genuine keys are stored on the server) and if you are certain that no unwanted clients have keys stored on the server, then you can summarily confirm all known unconfirmed keys. If conflicting keys exist for a client, that client will be skipped.
Display all the client keys.
# utkeyadm -l -H
For example:
# utkeyadm -l -H CID TYPE KEY-FINGERPRINT STATUS IEEE802.00000adc1a7a DSA* 4f:98:25:60:3b:fe:00:ba:db:ad:56:32:c3:e2:8b:3e confirmed IEEE802.00000f85f52f DSA* 1c:d4:b9:31:9d:f0:00:ba:db:ad:65:6c:8e:80:4d:b3 unconfirmed IEEE802.00000f85f52f DSA* 4f:98:25:60:3b:fe:00:ba:db:ad:56:32:c3:e2:8b:3e unconfirmed IEEE802.00000fe4d445 DSA* 13:d0:d4:47:aa:7f:00:ba:db:ad:26:3a:17:25:11:24 unconfirmed IEEE802.000000ee0d6b DSA* d0:d7:d0:57:12:18:00:ba:db:ad:b7:0f:5a:c0:8b:13 unconfirmed
Confirm all unconfirmed client keys.
# utkeyadm -a -U Skipping cid=IEEE802.00000f85f52f: Multiple (2) keys found. 2 keys confirmed.
Using the previous example, the unconfirmed client keys
for IEEE802.00000fe4d445
and
IEEE802.000000ee0d6b
are confirmed.
To display the key fingerprint for a client, press the Stop-K key combination on a Sun keyboard or Ctrl-Pause-K on a non-Sun or PC keyboard.
If the key panel does not display, the client might have old firmware installed that doesn't support client authentication.
If the message No key available
is
displayed, the client still has preinstalled
MfgPkg
firmware or a bug exists.
This procedure shows how to display client keys in the data
store. For additional options to display client keys, see the
utkeyadm
man page.
Use the utkeyadm command.
# utkeyadm -l -H
For example:
# utkeyadm -l -H CID TYPE KEY-FINGERPRINT STATUS IEEE802.00000adc1a7a DSA* 4f:98:25:60:3b:fe:00:ba:db:ad:56:32:c3:e2:8b:3e confirmed IEEE802.00000f85f52f DSA* 1c:d4:b9:31:9d:f0:00:ba:db:ad:65:6c:8e:80:4d:b3 unconfirmed IEEE802.00000f85f52f DSA* 4f:98:25:60:3b:fe:00:ba:db:ad:56:32:c3:e2:8b:3e unconfirmed IEEE802.00000fe4d445 DSA* 13:d0:d4:47:aa:7f:00:ba:db:ad:26:3a:17:25:11:24 unconfirmed IEEE802.000000ee0d6b DSA* d0:d7:d0:57:12:18:00:ba:db:ad:b7:0f:5a:c0:8b:13 unconfirmed
For multiple clients, click the Desktop Units tab.
The Client Key Status column indicates whether the client has a key in a confirmed or unconfirmed status, whether the client has multiple unconfirmed keys creating a conflict, or whether a key exists for the client. The possible Client Key Status values are None, Unconfirmed, Confirmed, Conflict, Automatic, or Invalid.
This procedure shows how to display client keys in the data
store. For additional options to display client keys, see the
utkeyadm
man page.
Use the utkeyadm command.
# utkeyadm [-l|-L] -c cid
-H
where
is the desktop ID
of the client and cid
-L
displays additional auditing
information.
The following example displays all keys for the IEEE802.0003ba0d93af client with additional auditing information.
# utkeyadm -L -c IEEE802.0003ba0d93af -H CID TYPE KEY-FINGERPRINT STATUS CREATED CONFIRMED CONFIRMED BY IEEE802.0003ba0d93af DSA* 4f:98:25:60:3b:fe:d6:f8:fb:38:56:32:c3:e2:8b:3e unconfirmed 2009-06-01 05:08:50 UTC -
To delete a specific client key, use the following command:
# utkeyadm -d -ccid
-kkey-id
where
is the desktop ID of
the desktop to which the key belongs and
cid
is the key fingerprint.
key-id
For example:
# utkeyadm -d -c IEEE802.00000f85f52f -k 1c:d4:b9:31:9d:f0:00:ba:db:ad:65:6c:8e:80:4d:b3 1 key deleted .