This section provides an overview of ocfserv properties that you can change if the default properties do not suit your site. You might need to change these properties if:
They do not entirely support the security needs of your site.
Your smart card or card reader manufacturer updates its product, and changes the product's ATR number, card terminal factory names, or other information.
Developers at your site create custom applications that require you to add security properties.
See Chapter 7, Additional OCF Server and Client Configuration (Tasks) for step-by-step instructions on changing these properties.
This following sections describes each ocfserv property and provide the default value of each property. You can view these properties in the SmartCard Console or with the smartcard -c admin command.
The ocf.server.default.validcards property specifies which smart card types are valid on the system. By default, all three smart card types are valid.
See "How to Change the Valid Smart Cards for the Server (Console)" for step-by-step instructions on changing this property.
The ocf.client.default.defaultcard property specifies to ocfserv which card is the default smart card. By default, Solaris Smart Cards has no default smart card.
See "How to Change the Default Smart Card for the Server (Console)" for step-by-step instructions on changing this property.
The OpenCard.terminals property defines the card readers supported by the system. For example, for a system with a Sun SCRI External Card Reader 1, the value for OpenCard.terminals is:
OpenCard.terminals = com.sun.opencard.terminal.scm.SCMStc .SCMStcCardTerminalFactory|MySCM|SunSCRI|dev/cua/b |
Here OpenCard.terminals defines the Sun SCRI External Card Reader 1 as the currently configured reader. The smartcard -c admin command displays the OpenCard.terminals property only after you have added a card reader.
For instructions on adding a card reader, see Chapter 3, Setting Up a Card Reader (Tasks).
The OpenCard.services property specifies the location of the card-specific modules. Each smart card type has the following modules defined:
OpenCard.services = com.sun.opencard.service.cyberflex.CyberFlex ServiceFactory com.sun.opencard.service.ibutton.IButtonServiceFactory com. sun.opencard.service.payflex.PayFlexServiceFactory |
For instructions on activating or deactivating card services, see "How to Deactivate or Activate Card Services (Console)".
To use this feature of Solaris Smart Cards, you must have a public-key infrastructure (PKI) set up at your site. See "How to Create a Private Key on a Smart Card (Command Line)" for step-by-step instructions on creating a private key on a smart card.
You can store only one private key on a smart card.
After authenticating the PIN and password on the smart card, ocfserv copies the file specified in key_file_name to the smart card. Thereafter, the private key is available on the card for signing data as an additional form of authentication. When the user runs a command for signing data, such as amisign from AMI, the command uses the private key on the user's smart card to create the signed data.
Depending on your site's policies, you might want to delete the user's private-key file from the system where it is stored. Thereafter, the private key exists only on the user's smart card.
The following table describes properties that you should not change.
Table 6-1 Do Not Change These OCF Server Properties
Property Name |
Property Definition |
---|---|
The location of the Java Class directory containing the applet initializer: initializerlocations = com.sun.opencard.cmd.IButtonInit |
|
The location of the Java Class directory where the card service module is located: cardservicelocations = com.sun.opencard.service.common |
|
The TCP protocol used by ocfserv: ocfserv.protocol = rpc |
|
The location of the Java Class directory containing the authentication module: authservicelocations = com.sun.opencard.service.auth |