Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices
Sun Ray Software supports the CCID IFD handler V1.3.10 on Sun Ray servers running Oracle Solaris), which provides access to external CCID-compliant USB smart card readers connected to Sun Ray Clients and client computers running Oracle Virtual Desktop Client. CCID IFD handler V1.3.10 is a Sun Ray implementation of the Interface Device Handler (IFD) for the PC/SC-lite API. When used in conjunction with the smart card services provided by the Sun Ray Software, this CCID IFD handler enables PC/SC-compliant applications and middleware to use external CCID-compliant USB smart card readers on desktop clients.
See Section 8.6.2, “How to Configure External CCID-Compliant USB Smart Card Readers for Authentication (Oracle Solaris)” for details on all the steps required.
Follow these instructions to install the CCID IFD handler.
To install the CCID IFD handler in an Oracle Solaris Trusted Extensions environment, perform the installation as root from ADMIN_LOW (global zone).
Download and unpack the CCID IFD handler.
The CCID IFD Handler is not provided with the Sun Ray Software release. However, you can download the PC/SC-lite 1.3 component from the 5.1.1 Media Pack, which includes the CCID IFD Handler v1.3.10 distribution. Only the CCID IFD handler needs to be installed. PC/SC-lite is already installed with Sun Ray Software.
Become superuser on the Sun Ray server.
Install the CCID IFD handler:
# svcadm disable pcscd # /usr/sbin/pkgadd -d . SUNWusb-scrdr # svcadm enable pcscd
Follow these instructions to remove the CCID IFD handler.
To uninstall the CCID IFD handler from an Oracle Solaris Trusted Extensions environment, perform the uninstallation as root from ADMIN_LOW (global zone).
Become superuser on the Sun Ray server.
Uninstall the CCID IFD handler:
# svcadm disable pcscd # /usr/sbin/pkgrm SUNWusb-scrdr # svcadm enable pcscd
Here are some known issues when using external USB smart card readers.
Currently, there is a delay of a few seconds before external USB readers become visible to PC/SC-lite client applications. This delay occurs whenever a PC/SC-lite instance is started for a user session as well as any other time the USB bus needs to be re-enumerated. Specifically, an enumeration delay where external USB readers are not immediately visible to an application occur under the following circumstances:
The first time a PC/SC-lite instance is started. That is, when an application attempts to access PC/SC-lite from within a given session for the first time.
Whenever a PC/SC-lite instance is automatically restarted after the PC/SC-lite self-terminates due to an idle period of inactivity. This is similar to the first case.
Whenever a Session Mobility event occurs, it causes a delay in reader visibility while external USB readers on the target Sun Ray Client are re-enumerated. Session Mobility is not currently supported by the CCID IFD handler for external USB readers on Sun Rays Clients.
Resetting or power-cycling the Sun Ray Client in a Sun Ray session.
Certain applications, such as the Windows Smart Card login over the Windows connector, are not designed to accommodate enumeration delays associated with the USB hotplug model. Such applications do not see readers that appear after they have initially scanned the PC/SC-lite reader list. In other words, readers that appear late may be missed by an application due to any of the scenarios described above.
Sometimes applications will use the first reader they find. On Sun Ray Clients, this is invariably the internal reader, unless that reader has been disabled with the following command:
# utdevadm -d -s internal_smartcard_reader
An additional solution is to ensure that the USB reader list
is visible to the application before the application scans the
reader list. One way to address this is by preventing
PC/SC-lite instances from timing out after a pre-specified
idle period. You can disable the instance timeout by editing
the /etc/smartcard/pcscd-SunRay.conf file
and changing the INSTANCE_TIMEOUT parameter
to -1. The shipping default value is 600 seconds (10 minutes).
When you disable inactivity timeouts by changing
INSTANCE_TIMEOUT, PC/SC-lite instances stay
around until the user's session is terminated, which can mean
that many PC/SC-lite processes may be in the process table,
using system resources.
We currently have no data on how much of an impact that might cause as the number of user sessions on a system grows (i.e., we have insufficient data on how that scales). In many cases, it may not be a problem at all, except that the process table will be more cluttered with inactive processes than otherwise.
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices