This chapter describes additional OCF server and client configuration tasks that you might want to perform after initially setting up a smart card. You can complete these tasks from the SmartCard Console or the command line.
This is list of the step-by-step instructions in this chapter.
"How to View OCF Server and Client Properties (Command Line)"
"How to Change the Valid Smart Cards for the Server (Console)"
"How to Change the Default Smart Card for the Server (Console)"
"How to Define the Default Smart Card for the Client (Console)"
"How to Define the Default Smart Card Reader for the Client (Console)"
"How to Change the Default Client Authentication Sequence for Valid Cards (Console)"
"How to Change the Valid Smart Cards for a Client Application (Command Line)"
"How to Assign a Default Smart Card to a Client Application (Command Line)"
"How to Define Client Application and Card Removal Timeouts (Console)"
"How to Change the Client Application Behavior When a Card is Removed (Console)"
OCF server properties define operations of ocfserv on each system. You can change these properties using either the OCF Server Configuration dialog box or the smartcard -c admin command. To change OCF server properties using the command line, use the following basic steps.
Become superuser on the system where you want to change properties.
Change the default server property.
smartcard -c admin -x modify "property_name=property_value" |
-x modify |
Indicates that you want to modify a property. |
property_name=property_value |
Represents the property to be modified and the value you want to assign to it. |
Become superuser on the system that you want to configure.
Display the configurable properties.
# smartcard -c admin |
Your screen should resemble the following:
Client Properties: ClientName.PropertyName Value ----------------------- ----- default.validcards = CyberFlex IButton PayFlex default.authmechanism = Pin=UserPin default.defaultaid = A000000062030400 Server Properties: PropertyName Value ------------ ----- authmechanism = Pin Password OpenCard.terminals = com.sun.opencard.terminal.scm. SCMStc.SCMStcCardTerminalFactory|MySCM|SunSCRI|/dev/cua/b ocfserv.protocol = rpc PayFlex.ATR = 3B6900005792020101000100A9 3B69110000005792020101000100 authservicelocations = com.sun.opencard.service.auth OpenCard.services = com.sun.opencard.service.cyberflex.CyberFlexServiceFactory com.sun.opencard.service.ibutton.IButtonServiceFactory com.sun.opencard.service.payflex. PayFlexServiceFactory abc.class com.sun.services.scm.SCMStcCardTerminalFactory initializerlocations = com.sun.opencard.cmd.IButtonInit IButton.ATR = 008F0E0000000000000000000004000034909000 cardservicelocations = com.sun.opencard.service.common CyberFlex.ATR = 3B169481100601810F 3B169481100601811F country = US debugging.filename = /tmp/ocf_debugfile language = en debugging = 0 |
See "How to Start the SmartCard Console (Command Line)" for help on starting the SmartCard Console.
By default, all three card types are considered valid by the OCF server.
Select OCF Server from the Navigation pane.
Double-click the icon representing the local system.
Select Valid Smart Cards from the Available Resources list.
Click the check box in the list that you want to deselect or select as a valid smart card type.
Activate the card services for the cards you selected as being valid.
For instructions on activating card services, see "How to Deactivate or Activate Card Services (Console)".
Click Apply or OK.
See "How to Start the SmartCard Console (Command Line)" for help on starting the SmartCard Console.
Select OCF Server from the Navigation pane.
Double-click the icon representing the local system.
Select Default Smart Cards from the Available Resources list.
Click the check box in the list that represents the card type you want as the default.
None is selected by default, which means there is no default smart card type.
Activate the card services for the cards you selected as the default.
For instructions on activating card services, see "How to Deactivate or Activate Card Services (Console)".
Click Apply or OK.
Before performing the tasks in this section, you must have:
Configured at least one card reader for the system.
Activated card services on the system.
Decided on the default authentication mechanism to use at your site and the sequence in which each mechanism must occur.
Determined which applications running on the system must be protected by smart card login.
See "How to Start the SmartCard Console (Command Line)" for help on starting the SmartCard Console.
Select OCF Clients from the Navigation pane.
Double-click the CDE icon.
Select the Defaults folder.
Select Smart Card from the Available Resources list.
Select the radio button for the smart card that will serve as the default for the client. You can select only one default card type.
The card type you select for the default card type must also be defined as a valid card. See the "How to Change the Default Smart Card for the Server (Console)".
Click Apply or OK.
See "How to Start the SmartCard Console (Command Line)" for help on starting the SmartCard Console.
Select OCF Clients from the Navigation pane.
Double-click the CDE icon.
Select the Defaults folder.
Select Card Reader from the Available Resources list.
Select the radio button for the card reader that will serve as the default for the client. You can pick only one default card reader.
The card reader you choose must accommodate the default smart card you previously defined.
Click Apply or OK.
See "How to Start the SmartCard Console (Command Line)" for help on starting the SmartCard Console.
Select OCF Clients from the Navigation pane.
Double-click the CDE icon.
Select one or more valid smart card types on the Smart Cards Used list.
The card_name Authentications list shows PIN as the default authentication mechanism assigned by Solaris Smart Cards. The Tag column lists a lookup value assigned to the application.
Click Add to display a combo box.
Pull down on the arrow to display the authentication mechanisms active on the OCF server, and choose additional mechanisms as needed.
Repeat this procedure for each card type selected as a valid card.
Click Apply or OK.
Become superuser.
Change the default valid cards.
# smartcard -c admin -a default -x modify validcards="IButton | CyberFlex | PayFlex" |
IButton | CyberFlex | PayFlex |
Indicates any one or a combination of these values. |
For example, to define the valid smart card types as CyberFlex and Payflex for all applications, type:
# smartcard -c admin -a default -x modify validcards="CyberFlex Payflex" |
The application_name.authmechanism property enables you to assign an authentication mechanism to a particular application.
Become superuser on the system with the client properties you want to modify.
Assign a default smart card type to an application.
# smartcard -c admin -a application_name -x add defaultcard=card_name |
application_name |
Is the application for which you want to define a default smart card type. |
card_name |
Is the smart card type that must be used to log in to this application, either CyberFlex, PayFlex, or IButton. |
For example, to define iButton as the default card type for a system's desktop, type:
# smartcard -c admin -a dtlogin -x add defaultcard=IButton |
Thereafter, when you run smartcard -c admin, you see the following client properties:
dtlogin.defaultcard = IButton default.validcards = CyberFlex PayFlex |
See "How to Start the SmartCard Console (Command Line)" for help on starting the SmartCard Console.
Select OCF Clients from the Navigation pane.
Double-click the CDE icon.
Select the Timeouts folder.
Slide the indicator to change the amount of time for any of the following timeout values.
Card Removal Timeout
Re-authentication Timeout
Card Removal Logout Wait Timeout
See "Changing Client Application and Card Removal Timeouts" for a description of each value.
See "How to Start the SmartCard Console (Command Line)" for help on starting the SmartCard Console.
Select OCF Clients from the Navigation pane.
Double-click the CDE icon.
Select the Timeouts folder.
Enable or disable the following options:
Ignore Card Removal
Re-authenticate After Card Removal
See "Changing Client Application Behavior When a Card is Removed" for a description of each option.