This chapter describes how to set up a smart card from the SmartCard Console and from the command line.
This is a list of the step-by-step instructions in this chapter.
The tasks in this chapter assume that you have identified how you will implement smart cards at your site. The tasks also assumes that you have set up a card reader on all systems that will use smart cards. See "Planning Your Smart Card Configuration" for more information.
Task |
Description |
Instructions |
---|---|---|
1. Verify That Card Services are Activated |
Verify that card services for the smart card to be used for login are active. | |
2. Add or Change the ATR on a Smart Card |
(Optional) Add the card's ATR or change it if the smart card manufacturer has issued a new card. | |
3. Load Applets Onto a Smart Card |
Load the SolarisAuthApplet applet onto the smart card. | |
4. Change the PIN on a Smart Card |
Change the default PIN on the smart card. | |
5. Create User Information on a Smart Card |
Identify personal information about the user on a smart card. | |
6. Set Up the Default Authentication Mechanism for the OCF Server and Client Applications |
Define the default server authentication mechanism for server and the default mechanism for all client applications. | |
7. Enable Smart Card Operations |
Enable smart card operations on the system. |
By default, all card services supported by Solaris Smart Cards are active when the Solaris 8 release is installed.
See "How to Start the SmartCard Console (Command Line)" for help on starting the SmartCard Console.
Click Card Services on the Navigation pane.
The Card Services dialog box is displayed.
Double-click the smart card icon.
Select one of the following to activate or deactivate card services:
Click OK.
If you are prompted to restart ocfserv, press Don't Restart OCF.
See "How to Start the SmartCard Console (Command Line)" for help on starting the SmartCard Console.
Insert the smart card with the newer ATR in the card reader.
On the Navigation pane, select Smart Cards.
Double-click the icon representing the type of card currently inserted.
The Smart Card: Card-Type dialog box displays a list of the known ATRs for this card type, and an Add button for adding a new ATR.
If this is a new ATR, click on Add. You can either type the new ATR in the New ATR field and click OK or Apply to activate the changes, or use the ATRs found on the inserted card. They are displayed on the Inserted Card's ATR box.
You can find the new ATR value in the smart card product literature.
If numbers appear in the Inserted Card's ATR box, these are numbers ocfserv found on the inserted card and it assumed these numbers are new. If you use the Inserted Card's ATR box, you do not need to use the New ATR field or type the new number. Instead, select the ATR and click OK or Apply to activate the changes.
See "How to Start the SmartCard Console (Command Line)" for help on starting the SmartCard Console.
Insert the smart card into the reader.
Select the Load Applets icon from the Navigation pane.
Double-click the SolarisAuthApplet icon.
Select the Cyberflex, iButton, or Payflex applet for the card type you want to initialize.
Use the arrow in the middle of the window to move the selected applet to the Pending Applet Installations area.
Click Install.
A pop-up window with an OK button displays.
If you cannot click Install and a No compatible devices inserted message is displayed, make sure you have selected the correct applet for your card, and that your card's ATR was known. See the previous section for information on identifying your card's ATR.
Click OK.
It takes a minute or so for the applet to load. A window with a confirmation message displays.
Use this command to load the SolarisAuthApplet applet onto all card types supported by Solaris Smart Cards.
Insert the smart card into the reader.
Become superuser.
Load the SolarisAuthApplet applet onto a smart card.
# smartcard -c load -i /usr/share/lib/smartcard/SolarisAuthApplet.capx |
When the smartcard -c load finishes, the following message displays:
Operation successful. |
See "How to Start the SmartCard Console (Command Line)" for help on starting the SmartCard Console.
Select Configure Applets from the Navigation pane.
The icon for the type of card in the reader is displayed.
Double-click the card icon.
The Configure Applets: card-name dialog box is displayed.
Click the SolarisAuthApplet icon.
Select the PIN folder at the top.
Type the new PIN in the Type New PIN field and again in the Retype New PIN field.
The original PIN for a loaded applet is $$$$java.
Click Change.
Enter the old PIN in the pop-up window.
Click OK.
Be sure to type the new PIN correctly because you will not be prompted to confirm it.
Make sure the smart card is inserted in the card reader.
Become superuser.
Change the PIN.
# smartcard -c init -A A000000062030400 -P '$$$java' pin=001234 |
Enclose the default PIN, $$$$java, or any PIN containing shell special-characters (such as $) within single quotes. Otherwise, the shell tries to interpret the PIN as a variable, and the command fails.
See "How to Start the SmartCard Console (Command Line)" for help on starting the SmartCard Console.
Select Configure Applets from the Navigation pane.
The icon for the type of card in the reader is displayed.
Double-click the card icon.
The Configure Applets: card-name dialog box is displayed.
Select the SolarisAuthApplet.
The SolarisAuthApplet Configuration folders appear on the right side of the dialog box.
Select the User Profiles folder.
Type dtlogin for User Profile Name.
Provide a valid user-name and user-password for the user who will log in with the smart card.
user-name |
Is the user's login name. |
user-password |
Is the password associated with user-name. This password must be in the password database defined by a system's /etc/nsswitch.conf file (NIS, NIS+, or local files). |
If the user's password is changed in the passwd file after you have configured the smart card, you must repeat these steps to store the new password in the smart card. It is not updated automatically.
Click Set to set and save these attributes.
Enter the PIN in the pop-up window.
Click OK.
If you are creating the user profile for the first time, click yes in the Set User Profile: Create New User Profile window.
This command is appropriate for all smart cards devices supported by Solaris Smart Cards. Make sure the card is in the card reader.
Set the PIN, login name, password, and application for the card by typing the following on one line. The PIN specified here is the one you specified in "How to Change a PIN on a Smart Card (Console)".
# smartcard -c init -A A000000062030400 -P `001234' username=nigel password=changeme application=dtlogin |
Become superuser.
Set the default authentication mechanism for all client applications.
# smartcard -c admin -a default -x modify authmechanism="Pin | Password | ChallengeResponse" |
For example, if you want the default authentication mechanism for client programs to be PIN Password, type:
# smartcard -c admin -a default -x modify authmechanism="Pin Password" |
Thereafter, when you type smartcard -c admin, you see the following default authentication mechanisms:
default.authmechanism = Pin Password |
Set the default authentication mechanism for the server.
# smartcard -c admin -x modify authmechanism="Pin | Password | ChallengeResponse"" |
For example, if you want the default authentication mechanism for ocfserv to be PIN Password, type:
# smartcard -c admin -x modify authmechanism="Pin Password" |
If the client and server authentication sequences are not the same, the client authentication sequence takes precedence over the server authentication sequence.
The user must use the accepted smart card for the system and possibly type a PIN to successfully log in to this system after smart cards are enabled. See Chapter 9, Using Your Smart Card (Tasks) for information about logging in with a smart card.