OCF Client Properties Overview

This section describes the client properties that you might want to change based on your smart card configuration. You can view these properties in the SmartCard Console or with the smartcard -c admin command.

The following properties are defined by default for the OCF client.

ClientName.PropertyName     Value
  -----------------------     -----
  default.validcards        = CyberFlex IButton PayFlex
  default.authmechanism     = Pin=UserPin
  default.defaultaid        = A000000062030400

Default Smart Card and Card Reader for the Client

The ocf.client.defaultcard property defines a specific card type (among all valid card types) that must be used with the client application. The card types supported by Solaris Smart Cards include:

• Payflex

• iButton

• Cyberflex

• OCF Server Default - This value tells the client application to use the same value setup as the default smart card for the OCF server.

Use the Available Resource: Card Reader category to define a default smart card reader to be recognized by the client application.

See "How to Define the Default Smart Card for the Client (Console)" and "How to Define the Default Smart Card Reader for the Client (Console)" for step-by-step instructions on changing these properties.

Valid and Default Card Types for Client Applications

Two card properties designate which smart card types the user must use to log in to a particular client application, or to all client applications on the system: defaultcard and validcards.

The validcards property specifies all smart card types that are valid for a particular application. In contrast, the defaultcard tells the application to wait until the card defined as the default card is loaded into the reader.

For example, suppose you specify iButton, Cyberflex, and CardA as the validcards properties for Application B. Then you specify Cyberflex as the defaultcard property. If Application B accepts only its default card and the user tries to log in to Application B with CardA, then the system displays the message:

Waiting for Default Card

Login to Application B is blocked until the user inserts a Cyberflex card into the reader.

When you run smartcard -c admin, these values are displayed:

default.validcards        = CyberFlex IButton PayFlex

See "How to Change the Valid Smart Cards for a Client Application (Command Line)" and "How to Assign a Default Smart Card to a Client Application (Command Line)" for step-by-step instructions on changing these properties.

Default Authentication Mechanism for Client Applications

The default.authmechanism property specifies the default authentication mechanism for all client applications. The default for all client applications is Pin=UserPin. You also can use authmechanism to define the authentication mechanism to be used for a specific client application.

See "How to Set Up the Default Authentication Mechanism for the Server and Client Applications (Command Line)" for step-by-step instructions on setting the default authentication mechanism for all client applications.

Default Client Authentication Sequence for Valid Cards

The ocf.client.default.authmechanism property determines the default authentication sequence used for all valid cards during login to the client application.

The Smart Cards Used checklist, available from the Configure Clients: CDE dialog box, shows all smart card types currently activated for ocfserv.

The card_name Authentications list shows the available authentication mechanisms for the card type you selected from the Smart Cards Used list.

The order of authentication mechanisms in the card_name Authentications list is the actual order of the authentication sequence that the ocfserv tries when a user accesses this client application.

See "How to Change the Default Client Authentication Sequence for Valid Cards (Console)" for step-by-step instructions for changing this property.

Default Client Applet Identification Property

The default.defaultaid property is an ID number assigned to the default smart card applet that runs for every application. The default ID number shown by smartcard -c admin is:

default.defaultaid        = A000000062030400

This value is the AID property for SolarisAuthApplet, the default applet run by Solaris Smart Cards.

Change the defaultaid property only if you need to replace it with an applet custom built for your site. In this instance, refer to the smartcard(1M) man page for help.

Changing Client Application and Card Removal Timeouts

Use the Timeouts folder to determine the amount of time the client application waits after a card is removed before restarting the authentication process.

• Card Removal Timeout - Designates the amount of time the application must wait after card removal before starting re-authentication.

• Re-authentication Timeout - Designates the amount of time the application must wait for re-authentication before either exiting or displaying an error message.

• Card Removal Logout Wait Timeout - Designates the amount of time the application must wait between card removal and logging out the user.

See "How to Define Client Application and Card Removal Timeouts (Console)" for step-by-step instructions.

Changing Client Application Behavior When a Card is Removed

Use the Options folder to define client application behavior when a user removes a smart card while the client application is running.

• Ignore Card Removal - Determines whether the application continues to run, even though the card is removed.

• Re-authenticate After Card Removal - Determines whether the application restarts the authentication process and prompts for required information, such as a PIN or password, if required. If you choose Re-authentication, return to the Timeouts folder and be sure that the Re-Authentication Timeout is set.

See "How to Change the Client Application Behavior When a Card is Removed (Console)" for step-by-step instructions.