5.5. Smart Cards

This section describes how to configure smart cards for Windows applications displayed through SGD.

This section includes the following topics:

5.5.1. Using Smart Cards With Windows Applications

SGD enables users to access a smart card reader attached to their client device from applications running on a Windows application server. Users can do the following:

  • Use a smart card to log in to a Windows application server.

  • Access the data on a smart card while using an application running on a Windows application server. For example, to use a certificate for signing or encrypting an email.

SGD works with any Personal Computer/Smart Card (PC/SC)-compliant smart card and reader. Details of the smart cards that have been tested successfully with SGD are listed in the Oracle Secure Global Desktop Platform Support and Release Notes for Release 4.7 available at http://www.oracle.com/technetwork/documentation/sgd-193668.html.

5.5.2. Setting Up Access to Smart Cards

SGD Administrators can give users access to smart card readers from Windows applications displayed through SGD. Setting up access to smart cards involves the following configuration steps:

  1. Enable smart card services on the application server.

    See Section 5.5.3, “Configuring the Microsoft Windows Application Server for Smart Cards”.

  2. Enable access to smart cards for SGD users.

    See Section 5.5.4, “Enabling Smart Cards in SGD”.

  3. Configure a smart card reader on the client device.

    See Section 5.5.5, “Configuring Smart Card Readers on Client Devices”.

  4. Log in to the application server using the smart card.

    See Section 5.5.6, “How to Log In to a Microsoft Windows Application Server With a Smart Card”.

5.5.3. Configuring the Microsoft Windows Application Server for Smart Cards

To configure the Microsoft Windows application server for smart cards, do the following:

5.5.3.1. Application Server Authentication Dialog Settings

In the Administration Console, the Global Settings → Application Authentication tab has several attributes that control the behavior of the Application Server Authentication dialog when using the SGD smart card service.

The Smart Card Authentication check box controls whether users get the choice of logging in with a smart card or only with a user name and password.

The "Always Use Smart Card" Box attributes enable you to control whether a user's decision to log in with a smart card is remembered, or cached, for the next time they log in to that application server, and whether they can change this setting.

Note

Users can only choose an authentication method, or to cache the smart card decision, if they have access to the Application Server Authentication dialog. If you disable the ability to use Shift-click, this restricts user access to the Application Server Authentication dialog. See Section 4.9.6, “Users Can Start Applications With Different User Names and Passwords”.

5.5.4. Enabling Smart Cards in SGD

SGD must be configured in order to support user access to smart cards.

Firewalls between SGD servers can interfere with the connections required for smart cards, seeSection 1.4.2, “Firewalls Between SGD Servers”.

5.5.4.1. How to Enable Smart Cards in SGD

  1. Check that the SGD smart card service is enabled.

    In the Administration Console, go to the Global Settings → Client Device tab, ensure the Smart Card check box is selected.

    The smart card service is enabled by default.

  2. Ensure that smart card authentication is enabled.

    Smart card authentication is enabled by default.

    In the Administration Console, go to the Global Settings → Application Authentication tab, ensure the Smart Card Authentication check box is selected.

    The Global Settings → Application Authentication tab has other settings that affect the behavior of the Always Use Smart Card check box on the Application Server Authentication dialog. See Section 5.5.3.1, “Application Server Authentication Dialog Settings”.

5.5.5. Configuring Smart Card Readers on Client Devices

SGD works with PC/SC-compliant cards and readers. See the PC/SC Workgroup web site for more information.

The smart cards tested with SGD are listed in the Oracle Secure Global Desktop Platform Support and Release Notes for Release 4.7 available at http://www.oracle.com/technetwork/documentation/sgd-193668.html.

5.5.5.1. Microsoft Windows Client Devices

On Microsoft Windows client devices, you must install the smart card reader and any required drivers on the client device to make the smart card available to Remote Desktop Services sessions running through SGD.

5.5.5.2. Linux Platform and Oracle Solaris Client Devices

On Linux platform and Oracle Solaris client devices, a PCSC-Lite library must be installed for SGD to communicate with smart card readers. PCSC-Lite provides an interface to the PC/SC framework on UNIX and Linux platforms.

For Linux platform client devices, PCSC-Lite is available from the following locations:

PCSC-Lite version 1.2.0 or later is required.

For Oracle Solaris client devices, PCSC-Lite compatible libraries are available in the following packages:

  • The PC/SC Shim for SCF package (PCSCshim)

  • The Sun Ray PC/SC Bypass package (SUNWsrcbp)

The PC/SC Shim for SCF package enables you to use a PC/SC application with the Solaris Card Framework (SCF) and work with Sun internal readers and Sun Ray readers. Version 1.1.1 or later is required. PC/SC Shim is included with Oracle Solaris 10. For other Solaris versions, PC/SC Shim is available from the MUSCLE project.

The Sun Ray PC/SC Bypass package provides a PCSC-Lite interface for the Ray reader. Make sure you have the latest patches for Sun Ray Software and the latest SUNWsrcbp package.

SGD clients require the PCSC-Lite libpcsclite.so library file. This is normally installed in /usr/lib, but the location depends on your dynamic linker path. If this file is installed outside of the dynamic linker path, or you want to use a different library file, use the TTA_LIB_PCSCLITE environment variable to specify the location. This can be set either in the user's environment or in the login script.

5.5.6. How to Log In to a Microsoft Windows Application Server With a Smart Card

  1. Log in to SGD.

  2. On the webtop, click the link to start the Windows application.

  3. When the Application Server Authentication dialog displays, click Use smart card.

  4. To always use a smart card to log in, click the Always use smart card box.

  5. When the Windows security dialog displays, insert your smart card.

  6. When prompted, enter your PIN.

5.5.7. Troubleshooting Smart Cards

For information about configuring SGD to use smart cards with Windows applications see Section 5.5.1, “Using Smart Cards With Windows Applications”.

If users find they are unable to use their smart cards with Windows applications, use the following checklist to resolve the problem.

Questions

  • 5.5.7.1: Is the smart card device redirection enabled on the Windows Remote Desktop Session Host?

  • 5.5.7.2: Are smart card services enabled for all SGD servers in the array?

  • 5.5.7.3: Is there a firewall between the SGD server hosting the user session and the SGD server hosting the application session?

  • 5.5.7.4: Is the client device configured correctly?

  • 5.5.7.5: Are there any error messages listed in the log file?

Questions and Answers

5.5.7.1: Is the smart card device redirection enabled on the Windows Remote Desktop Session Host?

You can only use smart cards if smart card device redirection is enabled on the Windows Remote Desktop Session Host. See Section 4.1.3, “Configuring Microsoft Windows Remote Desktop Services for Use With SGD” for details of the Windows platforms that support smart card device redirection.

5.5.7.2: Are smart card services enabled for all SGD servers in the array?

In the Administration Console, go to the Global Settings → Client Device tab, ensure the Smart Card check box is selected.

In the Administration Console, go to the Global Settings → Application Authentication tab, ensure the Smart Card Authentication check box is selected.

5.5.7.3: Is there a firewall between the SGD server hosting the user session and the SGD server hosting the application session?

Firewalls between SGD servers can interfere with smart card connections, seeSection 1.4.2, “Firewalls Between SGD Servers”.

5.5.7.4: Is the client device configured correctly?

On Microsoft Windows client platforms, do the following:

  • Check that the smart card reader is listed in the Windows Device Manager.

  • Check that the smart card service is running on the client. Click Start Menu → Programs → Administrative Tools → Services.

  • Check that the SGD Client has detected the smart card reader and card. Click the right mouse button on the SGD icon in the Windows system tray and select Connection info. The Smart card reader property lists the details in the format reader:ATR_string where reader is the manufacturer and model of the smart card reader and ATR_string is the Automatic Terminal Recognition (ATR) string, a sequence of hexadecimal numbers used to identify the card to the system.

On Linux platforms, do the following:

  • Check that the PCSC daemon, pcscd, is running. For example, you can use the following command:

    # /sbin/service pcscd status
  • Try restarting the PCSC daemon with a --debug stdout option. Insert the smart card in the reader and see if the reader and card are detected.

On Oracle Solaris platforms, do the following:

  • If you are using the PC/SC Shim for SCF package, check that the OCF server, ocfserv, is running. If the OCF server is not running, use the following command to enable the OCF server:

    # svcadm enable svc:/network/rpc/ocfserv
  • If you are using the Sun Ray PC/SC Bypass package, check the Sun Ray Software configuration.

5.5.7.5: Are there any error messages listed in the log file?

Smart card device access data and error messages are stored in the SGD Client log file. This data is displayed in the Detailed Diagnostics page of the SGD webtop.