Chapter 2 Getting Started With Solaris Smartcard

This chapter shows an administrator how to set up an initial Solaris Smartcard configuration:

• Starting the Smartcard Console

• Setting Up for Smartcard Login

• Setting Timeout and Card Removal Actions

See Chapter 1, Solaris Smartcard Overview for the following instructions:

• Loading the SolarisAuthApplet

• Initializing a Smart Card

• Defining Authentication Properties on a Smart Card

• Enabling Desktop Login With a Solaris Smartcard

See Chapter 3, Adding or Removing a Card Reader for these instructions:

• Adding a Card Reader

• Removing a Card Reader

Starting the Smartcard Console

The Smartcard Console is the graphical user interface (GUI) used to manage the Solaris Smartcard software.

---

Note –

Solaris Smartcard can also be administered from the command line. Both command line and Smartcard Console instructions are included in this document.

---

To Start the Smartcard Console From the Command Line

Steps

1. Log in as root or su to root.

   ---

   Note –

   If you log in as a regular user, you can run Smartcard, but you can only perform two tasks: Load Applets and Configure Applets.

   ---

2. Verify that the ocfserv daemon is enabled.

   The following command provides the status of the service.

   # svcs network/rpc/ocfserv

   ---

   Note –

   Before you make any changes to Smartcard, you must make sure that the ocfserv daemon is enabled.

   ---

3. (Optional) If necessary, enable the ocfserv daemon.

   # svcadm enable network/rpc/ocfserv

4. Start the Smartcard Console:

   # /usr/dt/bin/sdtsmartcardadmin &

   ---

   Note –

   Before you su to root, you might need to disable X server access control, because root is not granted access by default. Disable X server access control by running /usr/openwin/bin/xhost +hostname where hostname is the local host. After starting the Smartcard Console, run xhost -hostname to enable access control again.

   ---

To Start the Smartcard Console From the CDE Desktop

Steps

1. Log in as root to the Common Desktop Environment (CDE).

   If you are currently running CDE under your login name, exit CDE and log in as root.

   ---

   Note –

   If you log in as a regular user, you can run Smartcard, but you can only perform two tasks: Load Applets and Configure Applets.

   ---

2. Verify that the ocfserv daemon is enabled.

   The following command provides the status of the service.

   # svcs network/rpc/ocfserv

   ---

   Note –

   Before you make any changes to Smartcard, you must make sure that the ocfserv daemon is enabled.

   ---

3. (Optional) If necessary, enable the ocfserv daemon.

   # svcadm enable network/rpc/ocfserv

4. On the CDE control panel, click the up arrow on the Applications subpanel.

   By default, the Text Note icon, a pinned note with a pencil above the note, represents the Application's subpanel.

5. Select Applications to display the Application Manager.

6. Double-click the System_Admin icon in Application Manager.

7. Double-click the Smart Card icon to start the Smartcard Console.

   You might have to scroll down to find the Smart Card icon.

See Also

You can also start the Smartcard Console from the desktop Workspace menu. sdtsmartcardadmin should be found at the top level or in the Tools submenu.

Setting Up for Smartcard Login

Use the following procedure to set up Smartcard login for a machine that is running Solaris 8, Solaris 9, or Solaris 10 OS. For some tasks, a command-line example is shown first, followed by Smartcard Console instructions. For some complex tasks, the command-line example is a link to another chapter.

---

Note –

You must be root to perform most of these tasks.

---

To Add a Card Reader (Console)

Instructions for adding a card reader from the Smartcard Console are shown here.

Steps

1. Verify that the ocfserv daemon is enabled.

   The following command provides the status of the service.

   % svcs network/rpc/ocfserv

   ---

   Note –

   Before you make any changes to Smartcard, you must make sure that the ocfserv daemon is enabled.

   ---

2. (Optional) If necessary, as root, enable the ocfserv daemon.

   # svcadm enable network/rpc/ocfserv

3. Start the Solaris Smartcard Console.

   Run sdtsmartcardadmin from the command line or select sdtsmartcardadmin from the Workspace menu.

4. Click Card Readers in the Navigation pane.

   The Add Reader and IFD Terminal icons are displayed in the Console pane. Icons for any other enabled card reader types are also displayed.

5. Double-click Add Reader in the Console pane.

   The Add Reader dialog box is displayed. You can also display the Add Reader dialog box by selecting Add Reader in the Console pane and choosing Properties in the Action menu.

6. Double-click the IFD Card Terminal Reader, select the card reader, and click OK.

   The Card-Readers dialog box is displayed.

7. Select the Basic Configuration tab.

   This tab is selected by default.

8. Type a name for the reader in the Unique Card Terminal Name field.

   Leave the current name if you do not want to change the name. Do not include any spaces in the name.

9. From the Device Port pulldown menu, select the port that the card reader is attached to.

   The Sun Internal Card Reader is attached to /dev/scmi2c0 by default.

10. Enter the IFD handler location in the IFD Handler field.

    This is the full-path location of the IFD handler. The IFD handler for the internal reader is in /usr/lib/smartcard/ifdh_scmi2c.so.

11. Click Apply or OK.

    The IFD Terminal is displayed in the Console pane. A dialog is displayed, stating that the OCF Server must be restarted to complete the operation.

12. Click Restart OCF Now to add the internal reader.

    The internal reader is not added until OCF is killed and restarted.

    ---

    Note –

    If you do not restart OCF now, you must restart OCF from the command line to add the internal reader.

    # svcadm restart network/rpc/ocfserv

    The ocfserv process is restarted the next time you start the Smartcard Console or issue the smartcard command.

    ---

See Also

For command-line instructions, see Adding a Card Reader.

To Add Support for a New Card Type (Console)

To use a new type of smart card, you have to provide its Answer to Reset (ATR) property to ocfserv. The following is Smartcard Console instructions.

Steps

1. Verify that the ocfserv daemon is enabled.

   The following command provides the status of the service.

   % svcs network/rpc/ocfserv

   ---

   Note –

   Before you make any changes to Smartcard, you must make sure that the ocfserv daemon is enabled.

   ---

2. (Optional) If necessary, as root, enable the ocfserv daemon.

   # svcadm enable network/rpc/ocfserv

3. Insert the smart card with the new ATR in the card reader.

4. In the Navigation pane, select Smart Cards.

5. Double-click the icon in the Console pane that represents the type of card currently inserted.

   The Smart Card dialog box displays a list of the known ATRs for this card type. You can also display the Smart Card dialog box by selecting the appropriate card in the Console pane and choosing Properties in the Action menu.

6. If the ATR on the card is new and not in the list, click Add.

   The Add ATR dialog box is displayed. The ATR of the card inserted in the card reader is shown in the Inserted Card's ATR listbox.

   ---

   Note –

   To determine if the ATR value of the inserted card has been registered, click the Add button. If nothing is listed, your card's ATR is already known. Otherwise, you should perform the following steps.

   ---

7. Select the ATR of the inserted card or type the new ATR in the New ATR field.

   You can find the new ATR value in the smart-card product literature.

8. Click OK in the Add ATR dialog box.

   The new ATR is added to the list in the Smart Card dialog box.

9. Select the new ATR in the list in the Smart Card dialog box.

10. Click OK in the Smart Card dialog box to activate the change.

To Add Support for a New Card Type (Command Line)

If you prefer the command line, use this procedure.

Steps

1. Verify that the ocfserv daemon is enabled.

   The following command provides the status of the service.

   % svcs network/rpc/ocfserv

   ---

   Note –

   Before you make any changes to Smartcard, you must make sure that the ocfserv daemon is enabled.

   ---

2. (Optional) If necessary, as root, enable the ocfserv daemon.

   # svcadm enable network/rpc/ocfserv

3. Type the following to add “12345” as a new PayFlex ATR:

   # smartcard -c admin -x modify "PayFlex.ATR=3B69000057100A9 3B6911000000010100 12345"

   ---

   Note –

   If you want to retain the current ATR, you must enter the current ATR and the new ATR.

   ---

To Load the Smartcard Applet to a Smart Card (Console)

Use this procedure to load the Solaris Smartcard applet (SolarisAuthApplet) to a smart card. You must load the Solaris Smartcard applet before you can add the user profile information. The following is Smartcard Console instructions.

Steps

1. Verify that the ocfserv daemon is enabled.

   The following command provides the status of the service.

   % svcs network/rpc/ocfserv

   ---

   Note –

   Before you make any changes to Smartcard, you must make sure that the ocfserv daemon is enabled.

   ---

2. (Optional) If necessary, as root, enable the ocfserv daemon.

   # svcadm enable network/rpc/ocfserv

3. Insert the smart card into the reader.

4. Select the Load Applets icon in the Navigation pane.

5. Double-click the SolarisAuthApplet icon in the Console pane.

   The Load Applets dialog box is displayed. Applets for various card types are displayed in the left listbox. You can also display the Load Applets dialog box by selecting the appropriate card in the Console pane and choosing Properties in the Action menu.

6. Select the card type that you want to initialize.

   Choices include the following:

   • CyberFlex

   • iButton

   • PayFlex

7. Click the arrow between the two listboxes.

   The selected applet is copied to the Pending Applet Installations listbox, with a check in the checkbox and the name of the smart card displayed. If no card or the wrong smart card is inserted in the card reader, “No compatible devices inserted” is displayed. Insert the appropriate card.

8. Click the Install button.

   A window that is labeled “Loading Applet to Device” is displayed. The applet loads in approximately one minute. When the installation is complete, a window displays the confirmation message “Applet Installation Successful.”

9. Click OK to dismiss the confirmation window.

   The card now stores default values. If the card previously stored different PIN or different user profile values, those values have been overwritten. See PIN Property and User and Password Properties for more information.

To Load the Smartcard Applet to a Smart Card (Command Line)

Steps

1. Verify that the ocfserv daemon is enabled.

   The following command provides the status of the service.

   % svcs network/rpc/ocfserv

   ---

   Note –

   Before you make any changes to Smartcard, you must make sure that the ocfserv daemon is enabled.

   ---

2. (Optional) If necessary, as root, enable the ocfserv daemon.

   # svcadm enable network/rpc/ocfserv

3. With the smart card inserted in the card reader, type the following:

   # smartcard -c load -i /usr/share/lib/smartcard/SolarisAuthApplet.capx

   When the load finishes, the following message is displayed:

   Operation successful.

To Set Up a User Profile (Console)

Use this procedure to specify the user name and password that is associated with the application (dtlogin) for the card being set up. The following is Smartcard Console instructions.

Steps

1. Verify that the ocfserv daemon is enabled.

   The following command provides the status of the service.

   % svcs network/rpc/ocfserv

   ---

   Note –

   Before you make any changes to Smartcard, you must make sure that the ocfserv daemon is enabled.

   ---

2. (Optional) If necessary, as root, enable the ocfserv daemon.

   # svcadm enable network/rpc/ocfserv

3. Insert the smart card that you want to configure into the card reader.

4. Select Configure Applets in the Navigation pane.

   The icon for the type of card in the reader is displayed in the Console pane.

5. Double-click the icon in the Console pane.

   The Configure Applets dialog box is displayed. You can also display the Configure Applets dialog box by selecting the icon in the Console pane and choosing Properties in the Action menu.

6. Select SolarisAuthApplet in the Configure Applets dialog box.

   The SolarisAuthApplet configuration folders appear on the right side of the dialog box. The folders are represented by tabs labeled “PIN” and “User Profiles.” For some smart cards, “RSA Key” and “PKI Cert” folders might also be represented. Only User Profiles changes are described here. See To Change the PIN on a Card (Console) for PIN change information.

7. Select the User Profiles tab in the Configure Applets dialog box.

8. Type dtlogin in the User Profile Name field.

   dtlogin represents the CDE desktop.

9. Type a user name in User Name field.

   The name is the user name of the person to use the card. The user name cannot be more than eight characters long.

   ---

   Note –

   Click the Get button to determine the current user name that is associated with the card. You need to type the PIN to get the current user name or to change the user name or password.

   ---

10. Type password in Password field.

    The password is the password that is associated with the user name that was typed in a previous step. The password must correspond to the user's password based on the search order for passwd in /etc/nsswitch.conf: LDAP, NIS, NIS+, or local files. The password cannot be more than eight characters long.

    ---

    Note –

    If the user's password is changed after you have configured the smart card, you or the user must repeat these steps. The new password on the smart card is not updated automatically.

    ---

11. Click the Set button.

    The Set User Profile popup is displayed, asking for the current PIN.

12. Type the PIN and click OK.

    The new user name and new password are stored on the card.

13. Click OK to dismiss the dialog box.

To Set Up a User Profile (Command Line)

If you prefer the command line, use the following procedure.

Steps

1. Verify that the ocfserv daemon is enabled.

   The following command provides the status of the service.

   % svcs network/rpc/ocfserv

   ---

   Note –

   Before you make any changes to Smartcard, you must make sure that the ocfserv daemon is enabled.

   ---

2. (Optional) If necessary, as root, enable the ocfserv daemon.

   # svcadm enable network/rpc/ocfserv

3. Set the user name and the password for the dtlogin application.

   Type the following on one line to set the user name to x and the password to y for the dtlogin application. In this example, the PIN is $$$$java, the default value.

   # smartcard -c init -A A0000000620304000 -P '$$$$java' user=x password=y application=dtlogin

   ---

   Note –

   You must type the loaded applet ID and the current PIN. In the previous example, -A A000000062030400 specifies the SolarisAuthApplet applet ID. The PIN is the default SolarisAuthApplet value. Enclose the PIN, $$$$java, or any PIN that contains the shell special characters—such as $—within single quotes. Otherwise, the shell tries to interpret the PIN as a variable, and the command fails.

   ---

See Also

For more information, see To Create User Information on a Smart Card (Command Line).

To Verify a PIN for a Smart Card

Use this procedure to verify the PIN for a smart card.

Steps

1. Verify that the ocfserv daemon is enabled.

   The following command provides the status of the service.

   % svcs network/rpc/ocfserv

   ---

   Note –

   Before you make any changes to Smartcard, you must make sure that the ocfserv daemon is enabled.

   ---

2. (Optional) If necessary, as root, enable the ocfserv daemon.

   # svcadm enable network/rpc/ocfserv

3. Insert the smart card into the card reader.

4. As root, type the following to verify the PIN for the smart card.

   # smartcard -c init -A A000000062030400 -P 'PIN_number'

   PIN_number represents the PIN set for the card and A000000062030400 is the applet ID for the SolarisAuthApplet.

   If the PIN is invalid, an Invalid PIN message is displayed. A valid PIN results in no output.

To Change the PIN on a Card (Console)

Use this procedure to change the PIN on a smart card by using the Smartcard Console.

---

Note –

An end user who knows the current PIN can change the PIN on a card.

---

Steps

1. Verify that the ocfserv daemon is enabled.

   The following command provides the status of the service.

   % svcs network/rpc/ocfserv

   ---

   Note –

   Before you make any changes to Smartcard, you must make sure that the ocfserv daemon is enabled.

   ---

2. (Optional) If necessary, as root, enable the ocfserv daemon.

   # svcadm enable network/rpc/ocfserv

3. Insert the smart card that you want to configure into the card reader.

4. Select Configure Applets in the Navigation pane.

   The icon for the type of card in the reader is displayed in the Console pane.

5. Double-click the card icon in the Console pane.

   The Configure Applets dialog box is displayed.

6. Select SolarisAuthApplet in the listbox.

   The SolarisAuthApplet configuration folders appear on the right side of the dialog box. The folders are represented by tabs that are labeled “PIN” and “User Profiles.” For some smart cards, “RSA Key” and “PKI Cert” might also appear. Only PIN change is described here.

7. Select the PIN tab.

8. Type and retype a new PIN.

   A PIN can contain up to eight characters.

9. Click Change.

   A popup window that is labeled “Change PIN” is displayed.

10. Type the previous PIN in the popup window. Click the OK button.

    The default PIN, loaded on the card when the SolarisAuthApplet was installed on the card, is $$$$java.

To Change the PIN on a Card (Command Line)

If you prefer the command line, use the following procedure.

Steps

1. Verify that the ocfserv daemon is enabled.

   The following command provides the status of the service.

   % svcs network/rpc/ocfserv

   ---

   Note –

   Before you make any changes to Smartcard, you must make sure that the ocfserv daemon is enabled.

   ---

2. (Optional) If necessary, as root, enable the ocfserv daemon.

   # svcadm enable network/rpc/ocfserv

3. With the smart card inserted in the card reader, type the following to change the default PIN ($$$$java) to 001234:

   # smartcard -c init -A A000000062030400 -P '$$$$java' pin=001234

   ---

   Note –

   You must type the loaded applet ID and the current PIN. In the previous example, -A A000000062030400 specifies the SolarisAuthApplet applet ID (aid) and the PIN is the default SolarisAuthApplet value. Be sure to type the new PIN correctly because you are not prompted to confirm the new PIN. Enclose the PIN, $$$$java, or any PIN that contains shell special characters—such as $—within single quotes. Otherwise, the shell tries to interpret the PIN as a variable, and the command fails.

   ---

To Enable Smartcard on a System (Console)

Use this procedure to enable Solaris Smartcard on a system by using the Smartcard Console. The following must be done on each system that uses Smartcard authentication. For detailed information about Solaris Smartcard commands, see the following man pages:

• smartcard(1M)

• pam_smartcard(5)

• ocfserv(1M)

Steps

1. Verify that the ocfserv daemon is enabled.

   The following command provides the status of the service.

   % svcs network/rpc/ocfserv

   ---

   Note –

   Before you make any changes to Smartcard, you must make sure that the ocfserv daemon is enabled.

   ---

2. (Optional) If necessary, as root, enable the ocfserv daemon.

   # svcadm enable network/rpc/ocfserv

3. Select OCF Clients in the Navigation pane.

   The Desktop icon is displayed in the Console pane.

4. Select the Desktop icon.

5. Choose Properties from the Action menu.

   The Configure Clients dialog box is displayed.

6. Select the Cards/Authentications tab in the dialog box.

   The supported smart cards are listed in the listbox at the left.

7. Select the radio button that is labeled “Activate Desktop's Smart Card Capabilities.”

   As soon as you click OK in the Configure Clients dialog box, Smartcard is activated. You must have a working card reader on the system and a smart card configured with your user name and password.

8. Click the Apply or OK button.

   Solaris Smartcard is now enabled on the system.

9. Exit CDE to activate the change.

Troubleshooting

If you do not know the PIN on the card, you are locked out of the system. If you cannot access your system because of Smartcard, issue a rlogin to the system and disable Smartcard. See To Disable Smartcard.

You can disable Smartcard from the Configure Clients dialog box. Select the radio button that is labeled “Deactivate Desktop's Smart Card Capabilities” and click OK.

Setting Timeout and Card Removal Actions

If you don't want to use the default values for Smartcard timeouts and card removal actions, you can change the values. The procedures for changing the values are described in the following sections.

To Set Smartcard Timeouts (Console)

Steps

1. Verify that the ocfserv daemon is enabled.

   The following command provides the status of the service.

   % svcs network/rpc/ocfserv

   ---

   Note –

   Before you make any changes to Smartcard, you must make sure that the ocfserv daemon is enabled.

   ---

2. (Optional) If necessary, as root, enable the ocfserv daemon.

   # svcadm enable network/rpc/ocfserv

3. Select OCF Clients in the Navigation pane.

4. Select the Desktops icon in the Console pane.

5. Choose Properties in the Action menu.

6. Select the Timeouts tab in the dialog box.

   The Configure Clients dialog box is displayed.

7. Select the Timeouts tab in the Configure Clients dialog box.

8. Adjust the timeouts by using the mouse to slide the indicator for each timeout.

   • Card Removal Timeout – Specifies the number of seconds the desktop waits after a smart card is removed before locking the screen. The card removal timeout only applies if the “Ignore Card Removal” box is not checked under the options tab. If Card Removal Logout Wait is set to 0, a user is never logged out. The screen remains locked until the user reauthenticates to unlock the screen.

   • Reauthentication Timeout – Specifies the number of seconds the Reauthentication screen is displayed when the card has been removed. At the end of the specified time, the screen is locked.

   • Card Removal Logout Wait Timeout – Specifies the number of seconds the desktop waits for a smart card to be reinserted when the Reauthentication screen is displayed. If the card is not reinserted in time, the user is logged out. Note that this timeout is relevant only if Reauthenticate After Card Removal—in the Options tab—is set to False.

9. Click the Apply or OK button.

10. Exit CDE to activate the change.

To Set Card Removal Options (Console)

Steps

1. Verify that the ocfserv daemon is enabled.

   The following command provides the status of the service.

   % svcs network/rpc/ocfserv

   ---

   Note –

   Before you make any changes to Smartcard, you must make sure that the ocfserv daemon is enabled.

   ---

2. (Optional) If necessary, as root, enable the ocfserv daemon.

   # svcadm enable network/rpc/ocfserv

3. Select OCF Clients in the Navigation pane.

4. Select the Desktop icon in the Console pane.

5. Choose Properties in the Action menu.

   The Configure Clients dialog box is displayed.

6. Select the Options tab in the dialog box.

7. Click the checkboxes to toggle between on or off.

   • Ignore Card Removal – If checked, nothing happens when a smart card is removed from the reader.

   • Reauthenticate After Card Removal – If checked, a user is logged out when a card is removed. If Reauthenticate is not checked, the Card Removal Logout Wait setting—in the Timeouts tab—determines what happens.

8. Click the Apply or OK button.

9. Exit CDE to activate the change.