test

Solaris Smart Cards Administration Guide

Chapter 5 Setting Up a Smart Card (Tasks)

This chapter describes how to set up a smart card from the SmartCard Console and from the command line.

This is a list of the step-by-step instructions in this chapter.

The tasks in this chapter assume that you have identified how you will implement smart cards at your site. The tasks also assumes that you have set up a card reader on all systems that will use smart cards. See "Planning Your Smart Card Configuration" for more information.

Setting Up a Smart Card (Task Map)

Table 5-1 Setting Up a Smart Card (Task Map)

Task 

Description 

Instructions 

1. Verify That Card Services are Activated  

Verify that card services for the smart card to be used for login are active.  

"How to Deactivate or Activate Card Services (Console)"

2. Add or Change the ATR on a Smart Card 

(Optional)  

Add the card's ATR or change it if the smart card manufacturer has issued a new card. 

"How to Add or Change the ATR on a Smart Card (Console)"

3. Load Applets Onto a Smart Card 

Load the SolarisAuthApplet applet onto the smart card.

"How to Load an Applet Onto a Smart Card (Console)"

4. Change the PIN on a Smart Card 

Change the default PIN on the smart card. 

"How to Change a PIN on a Smart Card (Console)"

5. Create User Information on a Smart Card 

Identify personal information about the user on a smart card. 

"How to Create User Information on a Smart Card (Console)"

6. Set Up the Default Authentication Mechanism for the OCF Server and Client Applications 

Define the default server authentication mechanism for server and the default mechanism for all client applications. 

"How to Set Up the Default Authentication Mechanism for the Server and Client Applications (Command Line)"

7. Enable Smart Card Operations 

Enable smart card operations on the system. 

"How to Enable Smart Card Operations (Command Line)"

How to Deactivate or Activate Card Services (Console)

By default, all card services supported by Solaris Smart Cards are active when the Solaris 8 release is installed.

See "How to Start the SmartCard Console (Command Line)" for help on starting the SmartCard Console.

  1. Click Card Services on the Navigation pane.

    The Card Services dialog box is displayed.

  2. Double-click the smart card icon.

  3. Select one of the following to activate or deactivate card services:

    1. Keep card services active by verifying that the "Keep card_type services activated" radio button is selected.

    2. Deactivate card services by selecting the "Deactivate the card_type services" radio button.

  4. Click OK.

  5. If you are prompted to restart ocfserv, press Don't Restart OCF.

How to Add or Change the ATR on a Smart Card (Console)

See "How to Start the SmartCard Console (Command Line)" for help on starting the SmartCard Console.

  1. Insert the smart card with the newer ATR in the card reader.

  2. On the Navigation pane, select Smart Cards.

  3. Double-click the icon representing the type of card currently inserted.

    The Smart Card: Card-Type dialog box displays a list of the known ATRs for this card type, and an Add button for adding a new ATR.

  4. If this is a new ATR, click on Add. You can either type the new ATR in the New ATR field and click OK or Apply to activate the changes, or use the ATRs found on the inserted card. They are displayed on the Inserted Card's ATR box.

    You can find the new ATR value in the smart card product literature.

    If numbers appear in the Inserted Card's ATR box, these are numbers ocfserv found on the inserted card and it assumed these numbers are new. If you use the Inserted Card's ATR box, you do not need to use the New ATR field or type the new number. Instead, select the ATR and click OK or Apply to activate the changes.

How to Load an Applet Onto a Smart Card (Console)

See "How to Start the SmartCard Console (Command Line)" for help on starting the SmartCard Console.

  1. Insert the smart card into the reader.

  2. Select the Load Applets icon from the Navigation pane.

  3. Double-click the SolarisAuthApplet icon.

  4. Select the Cyberflex, iButton, or Payflex applet for the card type you want to initialize.

  5. Use the arrow in the middle of the window to move the selected applet to the Pending Applet Installations area.

  6. Click Install.

    A pop-up window with an OK button displays.

    If you cannot click Install and a No compatible devices inserted message is displayed, make sure you have selected the correct applet for your card, and that your card's ATR was known. See the previous section for information on identifying your card's ATR.

  7. Click OK.

    It takes a minute or so for the applet to load. A window with a confirmation message displays.

How to Load an Applet Onto a Smart Card (Command Line)

Use this command to load the SolarisAuthApplet applet onto all card types supported by Solaris Smart Cards.

  1. Insert the smart card into the reader.

  2. Become superuser.

  3. Load the SolarisAuthApplet applet onto a smart card.


    # smartcard -c load -i /usr/share/lib/smartcard/SolarisAuthApplet.capx

    When the smartcard -c load finishes, the following message displays:


    Operation successful.

How to Change a PIN on a Smart Card (Console)

See "How to Start the SmartCard Console (Command Line)" for help on starting the SmartCard Console.

  1. Select Configure Applets from the Navigation pane.

    The icon for the type of card in the reader is displayed.

  2. Double-click the card icon.

    The Configure Applets: card-name dialog box is displayed.

  3. Click the SolarisAuthApplet icon.

  4. Select the PIN folder at the top.

  5. Type the new PIN in the Type New PIN field and again in the Retype New PIN field.

    The original PIN for a loaded applet is $$$$java.

  6. Click Change.

  7. Enter the old PIN in the pop-up window.

  8. Click OK.

How to Change a PIN on a Smart Card (Command Line)

Caution - Caution -

Be sure to type the new PIN correctly because you will not be prompted to confirm it.

  1. Make sure the smart card is inserted in the card reader.

  2. Become superuser.

  3. Change the PIN.


    # smartcard -c init -A A000000062030400 -P '$$$java' pin=001234

    Enclose the default PIN, $$$$java, or any PIN containing shell special-characters (such as $) within single quotes. Otherwise, the shell tries to interpret the PIN as a variable, and the command fails.

How to Create User Information on a Smart Card (Console)

See "How to Start the SmartCard Console (Command Line)" for help on starting the SmartCard Console.

  1. Select Configure Applets from the Navigation pane.

    The icon for the type of card in the reader is displayed.

  2. Double-click the card icon.

    The Configure Applets: card-name dialog box is displayed.

  3. Select the SolarisAuthApplet.

    The SolarisAuthApplet Configuration folders appear on the right side of the dialog box.

  4. Select the User Profiles folder.

  5. Type dtlogin for User Profile Name.

  6. Provide a valid user-name and user-password for the user who will log in with the smart card.

    user-name

    Is the user's login name. 

    user-password

    Is the password associated with user-name. This password must be in the password database defined by a system's /etc/nsswitch.conf file (NIS, NIS+, or local files).

    Note -

    If the user's password is changed in the passwd file after you have configured the smart card, you must repeat these steps to store the new password in the smart card. It is not updated automatically.

  7. Click Set to set and save these attributes.

  8. Enter the PIN in the pop-up window.

  9. Click OK.

  10. If you are creating the user profile for the first time, click yes in the Set User Profile: Create New User Profile window.

Example--Creating User Information on a Smart Card (Command Line)

This command is appropriate for all smart cards devices supported by Solaris Smart Cards. Make sure the card is in the card reader.

Set the PIN, login name, password, and application for the card by typing the following on one line. The PIN specified here is the one you specified in "How to Change a PIN on a Smart Card (Console)". 


# smartcard -c init -A A000000062030400 -P `001234' username=nigel 
password=changeme application=dtlogin

How to Set Up the Default Authentication Mechanism for the Server and Client Applications (Command Line)

  1. Become superuser.

  2. Set the default authentication mechanism for all client applications.


    # smartcard -c admin -a default -x modify authmechanism="Pin | Password |
ChallengeResponse"

    For example, if you want the default authentication mechanism for client programs to be PIN Password, type:


    # smartcard -c admin -a default -x modify authmechanism="Pin Password"

    Thereafter, when you type smartcard -c admin, you see the following default authentication mechanisms:


    default.authmechanism     = Pin Password

  3. Set the default authentication mechanism for the server.


    # smartcard -c admin -x modify authmechanism="Pin | Password |
ChallengeResponse""

    For example, if you want the default authentication mechanism for ocfserv to be PIN Password, type:


    # smartcard -c admin -x modify authmechanism="Pin Password"
    Note -

    If the client and server authentication sequences are not the same, the client authentication sequence takes precedence over the server authentication sequence.

How to Enable Smart Card Operations (Command Line)

The user must use the accepted smart card for the system and possibly type a PIN to successfully log in to this system after smart cards are enabled. See Chapter 9, Using Your Smart Card (Tasks) for information about logging in with a smart card.

  1. Become superuser on each system to be used in smart card operations.

  2. Stop the desktop.


    # /etc/init.d/dtlogin stop

  3. Turn on smart card operations.


    # smartcard -c enable

  4. Restart the desktop.


    # /etc/init.d/dtlogin start