Chapter 2 Getting Started With Solaris Smartcard

This chapter shows an administrator how to set up an initial Solaris Smartcard configuration:

• To Start the Smartcard Console from the CDE Desktop

• Setting Up a Desktop for Smartcard Login

• To Activate a Card Reader

• To Add Support for a New Card Type (New ATR)

• To Load the Smartcard Applet to a Smart Card

• To Set Up a User Profile

• To Verify a PIN for a Smart Card

• To Change the PIN on a Card

• To Enable Smartcard on a System

• To Set Smartcard Timeouts (Console)

• To Set Card Removal Options (Console)

Starting or Restarting the Smartcard Console

The Smartcard Console is the graphical user interface (GUI) used to manage the Solaris Smartcard software.

To Start the Smartcard Console from the Command Line

1. Log in as root or su to root.

   ---

   Note –

   If you log in as a regular user, you can run Smartcard, but you can only perform two tasks: Load Applets and Configure Applets.

   ---

2. Start the Smartcard Console:

   # /usr/dt/bin/sdtsmartcardadmin &

   ---

   Note –

   Before you su to root you may need to disable X server access control, since root is not granted access by default. Disable X server access control by running /usr/openwin/bin/xhost +hostname where hostname is the local host. After starting the Smartcard Console, run xhost -hostname to enable access control again.

   ---

To Start the Smartcard Console from the CDE Desktop

1. Log in as root to the Common Desktop Environment (CDE).

   If you are currently running CDE under your login name, exit CDE and log in as root.

   ---

   Note –

   If you log in as a regular user, you can run Smartcard, but you can only perform two tasks: Load Applets and Configure Applets.

   ---

2. On the CDE control panel, click the up arrow on the Applications subpanel.

   By default, the Text Note icon, a pinned note with a pencil above it, represents the Applications subpanel.

3. Select Applications to display the Application Manager.

4. Double-click the System_Admin icon in Application Manager.

5. Double-click the Smart Card icon to start the Smartcard Console.

   You may have to scroll down to find the Smart Card icon.

You can also start the Smartcard Console from the desktop Workspace menu; sdtsmartcardadmin should be found at the top level or in the Tools submenu.

Setting Up a Desktop for Smartcard Login

To set up Smartcard login for the desktop of a Sun workstation running the Solaris 8 or Solaris 9 operating environment, perform the tasks described below. For some tasks, a command line example is shown first, followed by Smartcard Console instructions. For complex tasks, the command line example is a link to a later chapter.

You must be root to perform most of these tasks.

To Activate a Card Reader

Note that even if your new workstation has an internal card reader, you must activate it before it can be used. If you are activating an external card reader, it must first be physically attached to a serial port of the system, according to instructions in the card reader documentation.

Command Line Example

See Adding a Card Reader (Command Line) for examples.

Smartcard Console Instructions

1. Click Card Readers in the Smartcard Console's Navigation pane.

   The Add Reader icon is displayed in the Console pane. Icons for any enabled card reader types are also displayed.

2. Double-click Add Reader in the Console pane.

   The Add Reader dialog box is displayed.

3. Double-click the type of card reader you want to add or select it and click OK.

   To enable the Sun internal card reader, select Sun SCRI Internal Card Terminal Reader. The CardReaders dialog box is displayed.

4. Select the Basic Configuration tab.

5. Type a name for the reader in the Unique Card Terminal Name field.

   Leave the current name if you do not wish to change it. Do not include any spaces in the name.

6. Click the down arrow under Device Port.

7. Select the port that the card reader is attached to.

8. Click OK.

9. Restart ocfserv, if prompted to do so.

   The ocfserv process is restarted the next time you use the Smartcard Console or execute the smartcard command.

To Add Support for a New Card Type (New ATR)

To use a new type of smart card, you have to provide its Answer to Reset (ATR) property to ocfserv. Do the following to add support for a new card type.

Command Line Example

As root, type the following to add “12345” as a new PayFlex ATR:

# smartcard -c admin -x modify "PayFlex.ATR=3B69000057100A9 3B6911000000010100 12345"

You must enter the current ATRs and the new ATR.

Smartcard Console Instructions

1. Insert the smart card with the new ATR in the card reader.

2. In the Navigation pane, select Smart Cards.

3. Double-click the icon representing the type of card currently inserted.

   The Smart Card dialog box displays a list of the known ATRs for this card type.

4. If this is a new ATR, click Add.

   The Add ATR dialog box is displayed, with the ATR of the card inserted in the card reader shown in the “Inserted Card's ATR” listbox.

   ---

   Note –

   To determine if the ATR value of the inserted card has been registered, click the Add button. If nothing is listed, your card's ATR is already known; otherwise you should perform the steps below.

   ---

5. Select the ATR of the inserted card or type the new ATR in the New ATR field.

   You can find the new ATR value in the smart card product literature.

6. Click OK in the Add ATR dialog box.

   The new ATR is added to the list in the Smart Card dialog box.

7. Select the new ATR in the list in the Smart Card dialog box.

8. Click OK in the Smart Card dialog box to activate the change.

To Load the Smartcard Applet to a Smart Card

Do the following to load the Solaris Smartcard applet (SolarisAuthApplet) to a smart card. You must do this before you can add the user profile information.

Command Line Example

As root, with the smart card inserted in the card reader, type the following:

# smartcard -c load -i /usr/share/lib/smartcard/SolarisAuthApplet.capx

When the load finishes, the following message displays:

Operation successful.

Smartcard Console Instructions

1. Insert the smart card into the reader.

2. Select Load Applets icon in the Navigation pane.

3. Double-click the SolarisAuthApplet icon in the Console pane

   The Load Applets dialog box is displayed. Available applets for various card types are displayed in the left listbox.

4. Select the card type you want to initialize.

   Choices include CyberFlex, IButton, and PayFlex.

5. Click the arrow between the two listboxes.

   The selected applet is copied to the Pending Applet Installations listbox, with a check in the checkbox and the name of the smart card displayed. If no card or the wrong smart card is inserted in the card reader, “No compatible devices inserted” is displayed. Insert the appropriate card.

6. Click Install.

   A window labeled “Loading Applet to Device” is displayed. It takes a minute or so for the applet to load. When the installation is complete, a window with a confirmation message (“Applet Installation Successful”) displays.

7. Click OK to dismiss the confirmation window.

   The card now stores default values. If the card previously stored different PIN or user profile values, those values have been overwritten. See PIN Property and User and Password Properties for more information.

To Set Up a User Profile

Do the following to specify the username and password associated with the application(dtlogin) for the card being set up. For more information, see To Create User Information on a Smart Card.

Command Line Example

As root, type the following on one line to set the user name to xxx and the password to yyy for the dtlogin application. In this example, the PIN is $$$$java, the default value:

# smartcard -c init -A A0000000620304000 -P '$$$$java' user=xxx 
password=yyy application=dtlogin

You must enter the loaded applet ID and the current PIN. In the example above, -A A000000062030400 specifies the SolarisAuthApplet applet ID and the PIN is the default SolarisAuthApplet value. Enclose the PIN, $$$$java, or any PIN containing shell special-characters (such as $) within single quotes. Otherwise, the shell tries to interpret the PIN as a variable, and the command fails.

Smartcard Console Instructions

1. Insert the smart card you want to configure into the card reader.

2. Select Configure Applets in the Navigation pane.

   The icon for the type of card in the reader is displayed in the Console pane.

3. Double-click the icon in the Console pane.

   The Configure Applets dialog box is displayed.

4. Select SolarisAuthApplet in the Configure Applets dialog box.

   The SolarisAuthApplet configuration folders appear on the right side of the dialog box, represented by tabs labeled PIN and User Profiles (plus RSA Key and PKI Cert, for some smart cards). Only User Profiles changes are described here. See To Change the PIN on a Card for PIN change information.

5. Select the User Profiles tab in the Configure Applets dialog box.

6. Type dtlogin in the User Profile Name field.

   This represents the CDE desktop.

7. Type a user name in User Name field.

   This is the username of the person who will be using the card. The username cannot be more than eight characters long.

   ---

   Note –

   Click Get to determine the current username associated with the card. You will need to enter the PIN to get the current username or to change the username or password.

   ---

8. Type password in Password field.

   This is the password associated with the username typed above. The password must correspond to the user's password based on the search order for passwd in /etc/nsswitch.conf (LDAP, NIS, NIS+, or local files). The password cannot be more than eight characters long.

   ---

   Note –

   If the user's password is changed after you have configured the smart card, you or the user must repeat these steps to store the new password on the smart card. It is not updated automatically.

   ---

9. Click Set.

   The Set User Profile popup is displayed, asking for the current PIN.

10. Type the PIN and click OK.

    The new username and password are stored on the card.

11. Click OK to dismiss the dialog box.

To Verify a PIN for a Smart Card

Do the following to verify the PIN for a smart card.

1. Insert the smart card into the card reader.

2. As root, type the following to verify the PIN for the smart card.

   # smartcard -c init -A A000000062030400 -P 'PIN_number'

   where PIN_number represents the PIN set for the card and A000000062030400 is the applet ID for the SolarisAuthApplet.

   If the PIN is invalid, an Invalid PIN message is displayed. A valid PIN results in no output.

To Change the PIN on a Card

Do the following to change the PIN on a smart card.

This is a task that can be performed by an end user, if he or she knows the current PIN.

Command Line Example

As root, with the smart card inserted in the card reader, type the following to change the default PIN ($$$$java) to 001234:

# smartcard -c init -A A000000062030400 -P '$$$$java' pin=001234

You must enter the loaded applet ID and the current PIN. In the example above, -A A000000062030400 specifies the SolarisAuthApplet applet ID (aid) and the PIN is the default SolarisAuthApplet value. Be sure to type the new PIN correctly because you will not be prompted to confirm it. Enclose the PIN, $$$$java, or any PIN containing shell special-characters (such as $) within single quotes. Otherwise, the shell tries to interpret the PIN as a variable, and the command fails.

Smartcard Console Instructions

1. Insert the smart card you want to configure into the card reader.

2. Select Configure Applets in the Navigation pane.

   The icon for the type of card in the reader is displayed in the Console pane.

3. Double-click the card icon in the Console pane.

   The Configure Applets dialog box is displayed.

4. Select SolarisAuthApplet in the listbox.

   The SolarisAuthApplet configuration folders appear on the right side of the dialog box, represented by tabs labeled PIN and User Profiles (plus RSA Key and PKI Cert, for some smart cards). Only PIN change is described here.

5. Select the PIN tab.

6. Type and retype a new PIN.

   A PIN can contain up to eight characters.

7. Click Change.

   A popup window labeled “Change PIN” is displayed.

8. Enter the previous PIN in the pop-up window and click OK.

   The default PIN, loaded on the card when the SolarisAuthApplet was installed on the card, is $$$$java.

To Enable Smartcard on a System

Do the following to enable Solaris Smartcard on a system. This must be done on each system that will use Smartcard authentication. See smartcard(1M), pam_smartcard(5), and ocfserv(1M) for detailed information about Solaris Smartcard commands.

Command Line Example

See To Enable Smartcard Usage (Command Line) for instructions.

Smartcard Console Instructions

1. Select OCF Clients in the Navigation pane.

   The Desktop icon is displayed in the Console pane.

2. Double-click the Desktop icon.

   The Configure Clients dialog box is displayed.

3. Select the Cards/Authentications tab in the dialog box.

   The three supported smart cards — CyberFlex, IButton, and PayFlex — are listed in the listbox at the left.

4. Select the radio button labeled “Activate Desktop's Smart Card capabilities.”

   ---

   Note –

   As soon as you click OK in the Configure Clients dialog box, Smartcard is activated. Be sure you have a working card reader on the system and a smart card configured with your username and password. And be sure you know the PIN on the card or you will be locked out of the system. If you cannot access your system because of Smartcard, rlogin to the system and disable Smartcard by typing, as superuser: smartcard -c disable. You can disable Smartcard from the Configure Clients dialog box by selecting the radio button labeled “Deactivate Desktop's Smart Card Capabilities” and clicking OK.

   ---

5. Click Apply or OK.

   Solaris Smartcard is now enabled on the system.

6. Exit CDE to activate the change.

Other Setup Tasks

If you don't want to use the default values for Smartcard timeouts and card removal actions, you can change them, as described below.

To Set Smartcard Timeouts (Console)

1. Select OCF Clients in the Navigation pane.

2. Double-click the Desktops icon in the Console pane.

   The Configure Clients dialog box is displayed.

3. Select the Timeouts tab in the dialog box.

4. Adjust the timeouts by sliding the indicator for each timeout with the mouse.

   • Card Removal timeout – specifies the number of seconds the desktop waits after a smart card is removed before locking the screen; this only applies when the "Ignore Card Removal" box is not checked under the options tab. If Card Removal Logout Wait is set to 0, a user will never be logged out (that is, the screen remains locked until the user reauthenticates to unlock it).

   • Reauthentication timeout – specifies the number of seconds the Reauthentication screen is displayed when the card has been removed and the screen is locked.

   • Card Removal Logout Wait – specifies the number of seconds the desktop waits for a smart card to be reinserted when the Reauthentication screen is displayed. If the card is not reinserted in time, the user is logged out. Note that this timeout is relevant only when Reauthenticate After Card Removal (in the Options tab) is set to False.

5. Click Apply or OK.

6. Exit CDE to activate the change.

To Set Card Removal Options (Console)

1. Select OCF Clients in the Navigation pane.

2. Double-click the Desktops icon in the Console pane.

   The Configure Clients dialog box is displayed.

3. Select the Options tab in the dialog box.

4. Click the checkboxes to toggle them.

   • Ignore Card Removal – if checked, nothing happens when a smart card is removed from the reader.

   • Reauthenticate After Card Removal – If checked, a user is logged out when a card is removed. If it is not checked, the Card Removal Logout Wait setting (in the Timeouts tab) determines what happens.

5. Click Apply or OK.

6. Exit CDE to activate the change.