Solaris Smart Cards Administration Guide

Chapter 7 Additional OCF Server and Client Configuration (Tasks)

This chapter describes additional OCF server and client configuration tasks that you might want to perform after initially setting up a smart card. You can complete these tasks from the SmartCard Console or the command line.

This is list of the step-by-step instructions in this chapter.

Additional OCF Server Configuration Tasks

OCF server properties define operations of ocfserv on each system. You can change these properties using either the OCF Server Configuration dialog box or the smartcard -c admin command. To change OCF server properties using the command line, use the following basic steps.

Become superuser on the system where you want to change properties.
Change the default server property.
smartcard -c admin -x modify "property_name=property_value"
-x modify

Indicates that you want to modify a property.

property_name=property_value

Represents the property to be modified and the value you want to assign to it.

How to View OCF Server and Client Properties (Command Line)

Become superuser on the system that you want to configure.

Display the configurable properties.

# smartcard -c admin

Your screen should resemble the following:

Client Properties:
  ClientName.PropertyName   Value
  -----------------------   -----
  default.validcards      = CyberFlex IButton PayFlex
  default.authmechanism   = Pin=UserPin
  default.defaultaid      = A000000062030400

Server Properties:

  PropertyName             Value
  ------------             -----
  authmechanism           = Pin Password   
  OpenCard.terminals      = com.sun.opencard.terminal.scm.
SCMStc.SCMStcCardTerminalFactory|MySCM|SunSCRI|/dev/cua/b
  ocfserv.protocol        = rpc
  PayFlex.ATR             = 3B6900005792020101000100A9 3B69110000005792020101000100
  authservicelocations    = com.sun.opencard.service.auth
  OpenCard.services       = com.sun.opencard.service.cyberflex.CyberFlexServiceFactory 
com.sun.opencard.service.ibutton.IButtonServiceFactory com.sun.opencard.service.payflex.
PayFlexServiceFactory abc.class com.sun.services.scm.SCMStcCardTerminalFactory
  initializerlocations    = com.sun.opencard.cmd.IButtonInit
  IButton.ATR             = 008F0E0000000000000000000004000034909000
  cardservicelocations    = com.sun.opencard.service.common
  CyberFlex.ATR           = 3B169481100601810F 3B169481100601811F
  country                 = US
  debugging.filename      = /tmp/ocf_debugfile
  language                = en
  debugging               = 0

How to Change the Valid Smart Cards for the Server (Console)

See "How to Start the SmartCard Console (Command Line)" for help on starting the SmartCard Console.

By default, all three card types are considered valid by the OCF server.

Select OCF Server from the Navigation pane.

Double-click the icon representing the local system.

Select Valid Smart Cards from the Available Resources list.

Click the check box in the list that you want to deselect or select as a valid smart card type.

Activate the card services for the cards you selected as being valid.

For instructions on activating card services, see "How to Deactivate or Activate Card Services (Console)".

Click Apply or OK.

How to Change the Default Smart Card for the Server (Console)

See "How to Start the SmartCard Console (Command Line)" for help on starting the SmartCard Console.

Select OCF Server from the Navigation pane.

Double-click the icon representing the local system.

Select Default Smart Cards from the Available Resources list.

Click the check box in the list that represents the card type you want as the default.

None is selected by default, which means there is no default smart card type.

Activate the card services for the cards you selected as the default.

For instructions on activating card services, see "How to Deactivate or Activate Card Services (Console)".

Click Apply or OK.

Additional Client Configuration Tasks

Before performing the tasks in this section, you must have:

Configured at least one card reader for the system.
Activated card services on the system.
Decided on the default authentication mechanism to use at your site and the sequence in which each mechanism must occur.
Determined which applications running on the system must be protected by smart card login.

How to Define the Default Smart Card for the Client (Console)

See "How to Start the SmartCard Console (Command Line)" for help on starting the SmartCard Console.

Select OCF Clients from the Navigation pane.

Double-click the CDE icon.

Select the Defaults folder.

Select Smart Card from the Available Resources list.

Select the radio button for the smart card that will serve as the default for the client. You can select only one default card type.

Note -
The card type you select for the default card type must also be defined as a valid card. See the "How to Change the Default Smart Card for the Server (Console)".

Click Apply or OK.

How to Define the Default Smart Card Reader for the Client (Console)

See "How to Start the SmartCard Console (Command Line)" for help on starting the SmartCard Console.

Select OCF Clients from the Navigation pane.

Double-click the CDE icon.

Select the Defaults folder.

Select Card Reader from the Available Resources list.

Select the radio button for the card reader that will serve as the default for the client. You can pick only one default card reader.

Note -
The card reader you choose must accommodate the default smart card you previously defined.

Click Apply or OK.

How to Change the Default Client Authentication Sequence for Valid Cards (Console)

See "How to Start the SmartCard Console (Command Line)" for help on starting the SmartCard Console.

Select OCF Clients from the Navigation pane.

Double-click the CDE icon.

Select one or more valid smart card types on the Smart Cards Used list.

The card_name Authentications list shows PIN as the default authentication mechanism assigned by Solaris Smart Cards. The Tag column lists a lookup value assigned to the application.

Click Add to display a combo box.

Pull down on the arrow to display the authentication mechanisms active on the OCF server, and choose additional mechanisms as needed.

Repeat this procedure for each card type selected as a valid card.

Click Apply or OK.

How to Change the Valid Smart Cards for a Client Application (Command Line)

Become superuser.

Change the default valid cards.
# smartcard -c admin -a default -x modify validcards="IButton | CyberFlex | PayFlex"
IButton | CyberFlex | PayFlex

Indicates any one or a combination of these values.

For example, to define the valid smart card types as CyberFlex and Payflex for all applications, type:
# smartcard -c admin -a default -x modify validcards="CyberFlex Payflex"

How to Assign a Default Smart Card to a Client Application (Command Line)

The application_name.authmechanism property enables you to assign an authentication mechanism to a particular application.

Become superuser on the system with the client properties you want to modify.

Assign a default smart card type to an application.

# smartcard -c admin -a application_name -x add defaultcard=card_name

`application_name`	Is the application for which you want to define a default smart card type.
`card_name`	Is the smart card type that must be used to log in to this application, either `CyberFlex`, `PayFlex`, or `IButton`.

For example, to define iButton as the default card type for a system's desktop, type:

# smartcard -c admin -a dtlogin -x add defaultcard=IButton

Thereafter, when you run smartcard -c admin, you see the following client properties:

dtlogin.defaultcard       = IButton
default.validcards        = CyberFlex PayFlex

How to Define Client Application and Card Removal Timeouts (Console)

See "How to Start the SmartCard Console (Command Line)" for help on starting the SmartCard Console.

Select OCF Clients from the Navigation pane.

Double-click the CDE icon.

Select the Timeouts folder.

Slide the indicator to change the amount of time for any of the following timeout values.
- Card Removal Timeout
- Re-authentication Timeout
- Card Removal Logout Wait Timeout
See "Changing Client Application and Card Removal Timeouts" for a description of each value.

How to Change the Client Application Behavior When a Card is Removed (Console)

See "How to Start the SmartCard Console (Command Line)" for help on starting the SmartCard Console.

Select OCF Clients from the Navigation pane.

Double-click the CDE icon.

Select the Timeouts folder.

Enable or disable the following options:
- Ignore Card Removal
- Re-authenticate After Card Removal
See "Changing Client Application Behavior When a Card is Removed" for a description of each option.

`-x modify`	Indicates that you want to modify a property.
`property_name=property_value`	Represents the property to be modified and the value you want to assign to it.