Solaris Smartcard Administration Guide

Chapter 4 Troubleshooting

This section explains how to solve some Solaris Smartcard problems. The following sections are included:

Resolving Smartcard Login Problems

If a user cannot log in to a system, you might need to disable Solaris Smartcard or correct a setup problem.

ProcedureTo Disable Smartcard

You might need to disable Smartcard on a system in the following instances:

Do the following to disable Solaris Smartcard.

Steps
  1. Verify that the ocfserv daemon is enabled.

    The following command provides the status of the service.


    % svcs network/rpc/ocfserv
    

    Note –

    Before you make any changes to Smartcard, you must make sure that the ocfserv daemon is enabled.


  2. (Optional) If necessary, as root, enable the ocfserv daemon.


    # svcadm enable network/rpc/ocfserv
    
  3. Disable smart-card operations.


    # smartcard -c disable
    

ProcedureTo Correct Smartcard Setup Problem

After you have enabled Smartcard and logged off from a system, the CDE login screen displays the following prompt:


Please insert Smart Card

If you are unable to log in to a system by using a smart card because of Smartcard setup problems, try the following:

Steps
  1. Log in to the system remotely with the rlogin or telnet command.

  2. Verify that the ocfserv daemon is enabled.

    The following command provides the status of the service.


    % svcs network/rpc/ocfserv
    

    Note –

    Before you make any changes to Smartcard, you must make sure that the ocfserv daemon is enabled.


  3. (Optional) If necessary, as root, enable the ocfserv daemon.


    # svcadm enable network/rpc/ocfserv
    
  4. Disable Smartcard:


    # smartcard -c disable
    

    After Smartcard is disabled, the CDE screen displays the following prompt:


    Enter User Name
  5. Correct the Smartcard setup problem.

Resolving Applet, ATR, or Configuration Problems

You might have a problem downloading an applet to a smart card, adding support for a new type of card, or an illegal entry in your Solaris Smartcard configuration file.

Resolving Applet Downloading Problems

You might see the following message while trying to download the applet on the card:


SmartcardInvalidCardException

This message probably indicates that you have not added the ATR of the smart card inserted in the reader to the list of valid ATRs the system can accept. Try to update the card's ATR by following the steps in To Add Support for a New Card Type (Console).

ProcedureTo Add a Missing ATR

When you try to add a smart card in the Smartcard Console, a screen displays the ATR of the card inserted in the reader. If the ATR that is displayed does not exist in the list of valid ATRs, add the ATR to the card-name.ATR property.

For related information, see To Add Support for a New Card Type (Console), which provides Smartcard Console instructions and a command-line example.

Steps
  1. Verify that the ocfserv daemon is enabled.

    The following command provides the status of the service.


    % svcs network/rpc/ocfserv
    

    Note –

    Before you make any changes to Smartcard, you must make sure that the ocfserv daemon is enabled.


  2. (Optional) If necessary, as root, enable the ocfserv daemon.


    # svcadm enable network/rpc/ocfserv
    
  3. Display ocfserv properties to see if the card_name.ATR property exists.


    # smartcard -c admin
    

    For example, ocfserv lists a property MySCM.0.ATR, where MySCM is the user-friendly name of the card reader. This property reflects the ATR of the smart card that is inserted in the reader. This property is temporary. The property is added by ocfserv only for the time the card is in the reader. This property is removed when the card is removed.

  4. Add this ATR to the card_name.ATR property if the ATR displayed by this property does not exist in the list of valid ATRs.

ProcedureTo Resolve Configuration Problems

The /etc/smartcard/opencard.properties file stores important smart card configuration information. This file requires no administration. Do not edit this file manually. However, if you inadvertently introduced a problem in your smart card configuration, you can restore the previous version of /etc/smartcard/opencard.properties.

Steps
  1. Verify that the ocfserv daemon is enabled.

    The following command provides the status of the service.


    % svcs network/rpc/ocfserv
    

    Note –

    Before you make any changes to Smartcard, you must make sure that the ocfserv daemon is enabled.


  2. (Optional) If necessary, as root, enable the ocfserv daemon.


    # svcadm enable network/rpc/ocfserv
    
  3. Change to the /etc/smartcard directory.

  4. Save the current version first.


    # cp opencard.properties opencard.properties.bad
    
  5. Copy the previous version to the current version.


    # cp opencard.properties.bak opencard.properties
    

Debugging Smartcard

You can debug smart-card operations on a system by setting the debugging properties. Solaris Smartcard offers standard debugging and a detailed trace of your operations, if specified. If enabled, debugging information is logged to a file. You can control the level and amount of debugging information on a 0–9 scale. Debugging is disabled by default.

The following debugging properties are defined for ocfserv by default:


debugging.filename        = /var/run/ocf.log
debugging                 = 0
/var/run/ocf_log

The name of the file to contain debugging information.

debugging = 0

Debugging is disabled. Debugging is enabled if debugging = 1.


Note –

Previous to the Solaris 8 release, the debugging log file might be called /tmp/ocf_debugfile.


For debugging procedures, see the following:

ProcedureTo Enable Debugging (Console)

Steps
  1. Verify that the ocfserv daemon is enabled.

    The following command provides the status of the service.


    % svcs network/rpc/ocfserv
    

    Note –

    Before you make any changes to Smartcard, you must make sure that the ocfserv daemon is enabled.


  2. (Optional) If necessary, as root, enable the ocfserv daemon.


    # svcadm enable network/rpc/ocfserv
    
  3. Select OCF Server from the Navigation pane.

  4. Double-click the icon that represents the local system.

  5. Select the Debug tab.

  6. Slide the indicator for the OCF Debug Level slider to indicate the level of debugging you want.

  7. Slide the indicator for the Open Card Trace Level slider to indicate the trace level you want.

  8. (Optional) Specify an alternate name for the debug file.

    1. Click Browse to view the file systems on the system.

    2. Type the fully qualified path name for the debug file in the OCF Debug File Location field.

  9. Click the Apply or OK button.

ProcedureTo Enable Debugging (Command Line)

Use the following procedure to enable smart-card debugging.

Steps
  1. Verify that the ocfserv daemon is enabled.

    The following command provides the status of the service.


    % svcs network/rpc/ocfserv
    

    Note –

    Before you make any changes to Smartcard, you must make sure that the ocfserv daemon is enabled.


  2. (Optional) If necessary, as root, enable the ocfserv daemon.


    # svcadm enable network/rpc/ocfserv
    
  3. Enable smart card debugging by setting debugging=1.


    # smartcard -c admin -x modify debugging=1
    

    In the following example, the location of the ocfserv debugging file is changed. The location is changed by using the -x modify debugging.filename option and by specifying a fully qualified file name for the debugging file.


    # smartcard -c admin -x modify debugging.filename=/var/tmp/sc.debug