test

Solaris Smartcard Administration Guide

Defining Authentication Properties on a Smart Card

You set the properties on each smart card based on the user's requirements, your site's security policies, and the limitations of the type of smart card used. Using the Configure Applets dialog box, define corresponding properties for each smart card. The client and server programs on the system read the properties on the smart card to determine whether to give the user access to a particular application.

Note –

These properties apply only to cards initialized with the SolarisAuthApplet applet provided with Solaris Smartcard. If your site uses a different smart card applet, the available properties might differ. Refer to the smartcard(1M) man page for more information.

PIN Property

The PIN property is an authentication property that defines a personal identification number (PIN) for the card. The default PIN created on the card is $$$$java. Either you or the user can change $$$$java to a personalized PIN. Consider giving all users at your site the same default PIN name (for example, changeme). Then make sure each user changes the PIN to a value known only to that user.

See To Change the PIN on a Card for step-by-step instructions on changing the PIN on a smart card.

User and Password Properties

The user and password properties are authentication properties that identify the user and associate the user with the smart card's PIN. To set these properties, you must know the user's login name and password.

On systems using the default authentication mechanism of PIN, ocfserv verifies the authenticity of the PIN. Next, ocfserv reads the user and password properties on the card. If the password on the smart card matches the user's entry in the system's password database, ocfserv gives the user access to the application.

Application Property

Use the application authentication property (called a “user profile” in the Smartcard Console) to designate which applications the user needs to log in to with a login name and password. For example, to require a smart card login to the desktop, you must specify dtlogin as the application associated with the login name and password on the card. You can also require a smart card login for an application specific to your site, such as a financial package or personnel database, by specifying its name as the application property.

Before initializing an application on the card, find out which applications a user needs to access through smart card authentication. This step is particularly important when preparing a smart card for a system administrator or other user who might need to log in to an application as root or another restricted login name.

Note –

Payflex cards do not support multiple profiles; they cannot be used in cases where a user needs to log in to the desktop and one or more secure applications or uses multiple user names.

The application property on the smart card works in tandem with the other authentication properties. For example, suppose you initialized a smart card for user Frank with the following information:

The preceding information would be entered on the command line, as follows:


# smartcard -c init -A A000000062030400 -P '$$$$java' application=dtlogin
user=frank password=changeme

When Frank inserts his card into the reader and tries to log in to the desktop (dtlogin), ocfserv reads the card to determine whether any authentication properties are associated with dtlogin. The ocfserv server finds that the user and password properties are associated with dtlogin.

The ocfserv server prompts Frank for his PIN, and the typed PIN is compared with the PIN stored on the smart card assigned to the dtlogin application. Also, ocfserv uses the login name and password on Frank's card, along with the passwords in the system's password database, to verify that Frank is who he claims to be. If these properties match, Frank is logged in to the desktop.