11.3 Managing Client Keys

11.3.1 Key Fingerprint
11.3.2 How to Deny Access to Clients With Unconfirmed Keys
11.3.3 How to Confirm a Specific Client Key
11.3.4 How to Confirm All Unconfirmed Client Keys
11.3.5 How to Display a Client's Fingerprint Key from a Sun Ray Client
11.3.6 How to Display All Client Keys
11.3.7 How to Display All Keys for a Specific Client
11.3.8 How to Delete a Specific Client Key
11.3.9 How to Delete All Client Keys for a Specific Client

A client (a Sun Ray Client or Oracle Virtual Desktop Client) that supports client authentication has a public-private key pair for client authentication. The key pair for a client is generated when the client first boots with the appropriate firmware.

Note

Older versions of firmware or the firmware that is preinstalled on Sun Ray Clients delivered from the factory do not generate keys and do not support client authentication. To help you identify preinstalled firmware, note that versions of preinstalled firmware start with MfgPkg. You must update the firmware on the Sun Ray Clients in order to have keys generated.

When a client connects to a server and client authentication is enabled, the client sends its public key and a client identifier to the server. For a Sun Ray Client, the client identifier is its MAC address. Initially the server can verify only that the client is the owner of the submitted key, but it cannot verify that the client legitimately uses the submitted client ID.

The Sun Ray server stores a list of known clients and their public keys in the Sun Ray data store. A stored key can be marked as confirmed to indicate that authenticity of the key for the given client has been confirmed through human intervention. As long as no key has been marked confirmed for a client, the client authentication feature can ensure only that a client identifier is not used by multiple different clients with different keys. Only when the key has been verified and marked confirmed can the client authentication actually authenticate the identity of the client.

Note

Keys for Oracle Virtual Desktop Clients are not stored in the data store and they are not displayed by the utkeyadm command or Admin GUI. Instead, an Oracle Virtual Desktop Client uses its key fingerprint as a client identifier so that the authenticity of the key for the given ID is established automatically. For more information, see Section 11.3.1, “Key Fingerprint”.

By default, a client with an unconfirmed key is granted a session unless the identity of the client has been used with a different key. Multiple keys submitted for a client might indicate an attack on sessions for this client, so session access is denied for this client. A user needs to explicitly confirm one of the keys as being authentic to re-enable access for the client.

You can select a stricter policy that requires authenticated client identities and denies access to any client whose key is not verified and confirmed by using the utpolicy command or the Admin GUI. If you choose to use this policy, you must explicitly mark the key for every new client as 'confirmed' before the client can be used. To use this policy to full effect, you should also set the client authentication mode to 'hard' in the security configuration.

You can use the utkeyadm command to manage client identities and their associated keys. All keys that are used for a client are listed by the key management tools.

With the utkeyadm command, you can perform the following actions:

You can also view, confirm, or delete associated keys for a client through the client's Desktop Properties page in the Admin GUI.

11.3.1 Key Fingerprint

A key fingerprint is a name for a key and it is what the user can see. A key fingerprint is generated by an MD5 hash based on the public key data.

You can view the key fingerprint for a client in the key panel. To display the key panel, press Stop-K or Ctrl-Pause-K. To verify the authenticity of a client key, you can compare the key fingerprint displayed in the client's key panel with the one shown by the utkeyadm command for the same client.

11.3.2 How to Deny Access to Clients With Unconfirmed Keys

Sun Ray Client keys are initially considered unconfirmed and need to be confirmed as authentic for the specific client by human intervention. Oracle Virtual Desktop Client keys are always considered automatically confirmed (auto-confirmed), because the ID by which a Desktop Access Client is identified is uniquely derived from its key.

The following procedure sets the policy that a confirmed key is required before access to a client is granted. To enact a stronger policy, you should also set up the security policy to require client authentication from all clients, as described in Section 11.2.5, “How to Force Client Authentication From All Clients”.

Command-Line Steps

  1. View the current policies:

    # utpolicy
    Current Policy:
    -a -g -z both -k pseudo -u pseudo
    
  2. Set the client authentication policy with the -c option:

    # utpolicy -a -g -z both -k pseudo -u pseudo -c
    
  3. Restart the Sun Ray services:

    # utstart
    

Admin GUI Steps

  1. On the Advanced > System Policy tab page, select the Client Key Confirmation Required option in the Client Authentication section.

  2. Restart all servers in the server group.

11.3.3 How to Confirm a Specific Client Key

This procedure is required if a client receives a Keyerror (49) or Session Refused (50) icon due to conflicting or unconfirmed keys. Once the key is confirmed, you must disconnect the client by rebooting or inserting and removing a smart card to access a session after the change.

Before You Begin

  • View the unconfirmed keys (key fingerprints) for all or specific clients.

  • To determine whether an unconfirmed client key really belongs to that client, display the key fingerprint for the client by pressing Stop-K or Ctrl-Pause-K.

Command-Line Steps

# utkeyadm -a -c IEEE802.000000ee0d6b
1 key confirmed .
# utkeyadm -a -c IEEE802.00000f85f52f -k 1c:d4:b9:31:9d:f0:00:ba:db:ad:65:6c:8e:80:4d:b3
1 key confirmed .

Admin GUI Steps

  1. Go to the Desktop Unit Properties page for a single client.

  2. In the Client Keys table, select a single key and click Confirm.

11.3.4 How to Confirm All Unconfirmed Client Keys

If you are certain that all clients requiring key confirmation have been connected to the server group (their genuine keys are stored on the server) and if you are certain that no unwanted clients have keys stored on the server, then you can summarily confirm all known unconfirmed keys. If conflicting keys exist for a client, that client will be skipped.

  1. Display all the client keys.

    # utkeyadm -l -H
    

    For example:

    # utkeyadm -l -H
    CID TYPE KEY-FINGERPRINT STATUS
    IEEE802.00000adc1a7a DSA* 4f:98:25:60:3b:fe:00:ba:db:ad:56:32:c3:e2:8b:3e confirmed
    IEEE802.00000f85f52f DSA* 1c:d4:b9:31:9d:f0:00:ba:db:ad:65:6c:8e:80:4d:b3 unconfirmed
    IEEE802.00000f85f52f DSA* 4f:98:25:60:3b:fe:00:ba:db:ad:56:32:c3:e2:8b:3e unconfirmed
    IEEE802.00000fe4d445 DSA* 13:d0:d4:47:aa:7f:00:ba:db:ad:26:3a:17:25:11:24 unconfirmed
    IEEE802.000000ee0d6b DSA* d0:d7:d0:57:12:18:00:ba:db:ad:b7:0f:5a:c0:8b:13 unconfirmed
    
  2. Confirm all unconfirmed client keys.

    # utkeyadm -a -U
    Skipping cid=IEEE802.00000f85f52f: Multiple (2) keys found.
    2 keys confirmed.
    

    Using the previous example, the unconfirmed client keys for IEEE802.00000fe4d445 and IEEE802.000000ee0d6b are confirmed.

11.3.5 How to Display a Client's Fingerprint Key from a Sun Ray Client

To display the key fingerprint for a client, press Stop-K or Ctrl-Pause-K.

If the key panel does not display, the client might have old firmware installed that doesn't support client authentication.

If the message No key available is displayed, the client still has preinstalled MfgPkg firmware or a bug exists.

11.3.6 How to Display All Client Keys

This procedure shows how to display client keys in the data store. For additional options to display client keys, see the utkeyadm man page.

Command Line Steps

  • Use the utkeyadm command.

    # utkeyadm -l -H
    

    For example:

    # utkeyadm -l -H
    CID TYPE KEY-FINGERPRINT STATUS
    IEEE802.00000adc1a7a DSA* 4f:98:25:60:3b:fe:00:ba:db:ad:56:32:c3:e2:8b:3e confirmed
    IEEE802.00000f85f52f DSA* 1c:d4:b9:31:9d:f0:00:ba:db:ad:65:6c:8e:80:4d:b3 unconfirmed
    IEEE802.00000f85f52f DSA* 4f:98:25:60:3b:fe:00:ba:db:ad:56:32:c3:e2:8b:3e unconfirmed
    IEEE802.00000fe4d445 DSA* 13:d0:d4:47:aa:7f:00:ba:db:ad:26:3a:17:25:11:24 unconfirmed
    IEEE802.000000ee0d6b DSA* d0:d7:d0:57:12:18:00:ba:db:ad:b7:0f:5a:c0:8b:13 unconfirmed
    

Admin GUI Steps

  • For multiple clients, click the Desktop Units tab.

    The Client Key Status column indicates whether the client has a key in a confirmed or unconfirmed status, whether the client has multiple unconfirmed keys creating a conflict, or whether a key exists for the client. The possible Client Key Status values are None, Unconfirmed, Confirmed, Conflict, Automatic, or Invalid.

11.3.7 How to Display All Keys for a Specific Client

This procedure shows how to display client keys in the data store. For additional options to display client keys, see the utkeyadm man page.

Command-Line Steps

  • Use the utkeyadm command.

    # utkeyadm [-l|-L] -c cid -H
    

    where cid is the desktop ID of the client and -L displays additional auditing information.

Example

The following example displays all keys for the IEEE802.0003ba0d93af client with additional auditing information.

# utkeyadm -L -c IEEE802.0003ba0d93af -H
CID TYPE KEY-FINGERPRINT STATUS CREATED CONFIRMED CONFIRMED BY
IEEE802.0003ba0d93af DSA* 4f:98:25:60:3b:fe:d6:f8:fb:38:56:32:c3:e2:8b:3e unconfirmed 
2009-06-01 05:08:50 UTC -

Admin GUI Steps

  • For a single client, go to the Desktop Unit Properties page.

    The Client Keys table shows the known keys and their status for the client.

11.3.8 How to Delete a Specific Client Key

  • To delete a specific client key, use the following command:

    # utkeyadm -d -c cid -k key-id
    

    where cid is the desktop ID of the desktop to which the key belongs and key-id is the key fingerprint.

    For example:

    # utkeyadm -d -c IEEE802.00000f85f52f -k 1c:d4:b9:31:9d:f0:00:ba:db:ad:65:6c:8e:80:4d:b3
    1 key deleted .
    

11.3.9 How to Delete All Client Keys for a Specific Client

  • To delete all client keys for a specific client, type the following command:

    # utkeyadm -d -c cid
    

    where cid is the desktop id of the desktop to which the keys belong.

    For example:

    # utkeyadm -d -c IEEE802.00000f85f52f
    2 keys deleted.