C H A P T E R 5 - Mobile Sessions (Hot Desking)

C H A P T E R 5

Mobile Sessions (Hot Desking)

The Sun Ray system is designed, in part, to enable hot desking with Smart Cards, and every Sun Ray DTU is equipped with a Smart Card reader. Sun Ray Server Software 3 also includes the industry standard PC/SC-lite API for developers who wish to encode custom applications or other information in their users' Smart Cards. Custom applications are frequently used to provide strong smart card-based authenticated logins and PKCS#11, S/MIME digital signature message signing and encryption, among other capabilities. This enhancement requires no additional administration.

Configuring Sun Ray Server Software with non-smart card mobile (NSCM) sessions provides the benefits of hot desking without the use of smart cards. This chapter explains NSCM sessions and how to configure them.

This chapter contains the following sections:

NSCM Session

NSCM and Failover Groups

Configuring the Authentication Manager for NSCM Sessions

NSCM Session

In an NSCM session, the user:

Types a user name and password instead of inserting a smart card

Types the utdetach command instead of removing a smart card.

If a user does not want to use the NSCM session, inserting a smart card causes the session to be disconnected and replaced by a smart card session.

Sun Ray Mobile Session Login Dialog Box

When Sun Ray Server Software is configured for NSCM sessions, the Sun Ray Mobile Session Login dialog box is displayed on the Sun Ray DTU.

FIGURE 5-1 Sun Ray Mobile Session Login Dialog Box

The welcome screen has an empty text field in which to enter a user name. Press Return to get the equivalent of the OK button.

A right click on the Options button opens a panel where the user can select:

QuickLogin--To a new session only. Selecting Off enables the user to login with the same options available through dtlogin. Selecting On enables the user to bypass the option selection phase. QuickLogin is on by default.

Exit--Selecting Exit temporarily disables the NSCM session. An escape token session is started, and the dialog box is replaced by the dtlogin screen. Users without a valid username for this server group can exit so as to make a remote login to a server where their user name is valid.

Token Reader Icon

When a site policy disallows NSCM sessions, DTUs configured as token readers display the token reader icon instead of the Login Dialog box.

To Log In to an NSCM Session

1. Type a user name and then a password into the user entry field.

FIGURE 5-2 User Name Entry

This figure shows a user name entered in the text field.

If an NSCM session for this user does not exist, the Authentication Manager creates an NSCM session token for the user. The token has the format: mobile.username, where username is the user's identification.

If the Sun Ray server is part of a failover group, the load-balancing algorithm may redirect the user to another Sun Ray server, where the user types a username and password again before an NSCM session is created.

If an NSCM session exists on a different Sun Ray server in a failover group, the user is redirected to the server where the most current NSCM session is located.
FIGURE 5-3 User Password Entry

This screen welcomes the user and prompts for a password.

The Sun Ray Mobile Session Login dialog box is redisplayed with the host name of the new Sun Ray server, and the user must retype the user name and password.

Note - The user may be redirected either for server load balancing or because there is a disconnected session on another server. For added security, each redirection requires re-authentication, so the user must re-enter a user name and password.

Note - In previous versions, the Sun Ray administrator could prevent re-authentication behavior by setting the acceptRedirectToken property in the /etc/opt/SUNWut/auth.props file to true, after which users did not need to re-authenticate when redirected. This functionality is no longer enabled.

Disconnecting an Active NSCM Session

If an NSCM session exists on the current Sun Ray server, the session is displayed to the user. If a user wants to move to another location, there are two methods of disconnecting an NSCM session:

Hot Key combination

utdetach

Hot Key

To disconnect a NSCM session, the user presses the key combination Shift-Pause.

To Disconnect the Current Session via utdetach

1. Type the utdetach command in a shell window:

% /opt/SUNWut/bin/utdetach

2. Press the Shift and Pause keys simultaneously.

The Sun Ray Mobile Session Login dialog box is redisplayed, and the user moves to another Sun Ray DTU.

3. Login at the second Sun Ray DTU.

The session becomes active.

The user can terminate the session by clicking the Exit button in the CDE panel or by pressing the key combination Ctrl+Alt+Bksp, Bksp.

Note - The user may decide not to disconnect the session before moving to another Sun Ray DTU. Upon repeating Step 1, the user's session is disconnected from the previous DTU and connected to the current DTU.

To Terminate the Current Session

Click the Exit button on the CDE panel.

Press the Ctrl+Alt+Bksp+Bksp key combination.

To Reconfigure the Disconnect Hot Key Combination

You can change the disconnect key combination (hot key) in the /etc/opt/SUNWut/utslaunch_defaults.properties file, where the site-wide default configuration of the hotkey key combination is specified. Individual users can override the default key combination by configuring the ~/.utslaunch.properties file located in their home directory.

Edit the respective file and find the line with the utdetach.hotkey property.

Change the string after the equals sign to the keystrokes desired. For example, to configure the key combination of Alt + Esc, type:

% utdetach.hotkey=Alt Escape

To Customize the Short Cut for Disconnecting an NSCM Session

You can disconnect the current session using the key combination (hot key) in the utslaunch.properties files.

1. To reconfigure the hot key combination, edit the file and find the line with the utdetach.hotkey property.

2. Change the string after the equals sign to the keystrokes desired.

For example:

utdetach.hotkey=Alt Escape

configures the key combination of Alt+Esc.

NSCM and Failover Groups

The user login experience for NSCM sessions may be different than expected when systems are configured as part of a failover group.

The Sun Ray Authentication Manager uses a properties file, /etc/opt/SUNWut/auth.props. When the system is first configured, the acceptRedirectToken property in this file is set to false to support a model of high security by default. Because the property is set to false, the following situations may produce unfamiliar behavior:

Load Balancing Between Servers

If server A is heavily loaded when a user logs into it with the NSCM GUI, it redirects the user to server B, which requires another login with the NSCM GUI. If server B is running an earlier Solaris version than Server A, the user must log in a third time. Thus, the user gets a session, but only after three logins. Users accustomed to smart card ease of use might find this repetitious behavior confusing or annoying.

Switching Between Servers

A user with a session on server A who wants to switch to a session on server B invokes the utselect GUI to access the other session. In doing so, the user is required to log in with the NSCM GUI. Users familiar with the ease of the utselect GUI might be discouraged that another log in is necessary.

Escape Token Sessions

The user bypasses the NSCM GUI by clicking the Exit button and logs into server A using dtlogin. The user now has a standard escape token session and invokes the utselect GUI to switch to server B and, in doing so, is presented with the NSCM GUI. The user must click Exit again to get to the escape token session on server B.

Users accustomed to a quick switch might be annoyed that they must interact with the NSCM GUI a second time.

Configuring the Authentication Manager for NSCM Sessions

The Sun Ray administrator can enable the NSCM session features with:

Sun Ray Administration Tool

Command-line interface

Note - If the IP addresses and DHCP configuration data are not set up properly at the time that the interfaces are configured, the failover feature will not work properly. In particular, configuring the Sun Ray server's interconnect IP address as a duplicate of any other server's interconnect IP address may cause the Sun Ray Authentication Manager to generate "Out of Memory" errors.

To Enable NSCM Sessions From the Administration Tool

1. Before changing the Authentication Manager policy, inform your users that all active and detached sessions will be lost.

You can use the utwall command to send the notice of policy change. For example:

# /opt/SUNWut/sbin/utwall -d -t 'System policy will change in 10 minutes.\nAll active and detached sessions will be lost.\nPlease save all data and terminate your session now.' ALL

The following message is seen by all users in a pop-up window:

System policy will change in 10 minutes.

All active and detached sessions will be lost.

Please save all data and terminate your session now.

2. Log in to the Administration Tool.

3. From the task list, select Admin and click the Policy link.

The Change Policy window is displayed.

4. In the Non-Card Users column, check the Enable Mobile Sessions box.

FIGURE 5-4 Change Policy Window

As in most cases, it is preferable to use the utadmin command instead of the Admin GUI screens for all administration issues, such as changing the access levels of card users and other users.

5. Click the Apply button.

When the policy change is complete, you are shown a confirmation window.

FIGURE 5-5 Change Policy Confirmation Window

This screen confirms that a change has been made to a policy.

6. From the task list, select Admin and click the Reset Services link.

The Sun Ray Services panel is displayed.

7. Select Group if this is a failover group or Local if there is a single Sun Ray server.

8. Click Restart to restart Sun Ray services and terminate all users' sessions.

The NSCM sessions are enabled in a moment.

To Enable NSCM Sessions From a Command Line

The Sun Ray administrator can toggle the NSCM session capability by including or excluding the -M argument in the utpolicy command. For more information, see the utpolicy man page.

1. Before changing the Authentication Manager policy, inform your users that all active and detached sessions will be lost.

You can use the utwall command to provide them the notice of policy change. For example:

# /opt/SUNWut/sbin/utwall -d -t 'System policy will change in 10 minutes.\nAll active and detached sessions will be lost.\nPlease save all data and terminate your session now.' ALL

The following message is seen by all users in a pop-up window:

System policy will change in 10 minutes.

All active and detached sessions will be lost.

Please save all data and terminate your session now.

2. As superuser, type the utpolicy command for your authentication policy with the addition of the -M argument. For example:

# /opt/SUNWut/sbin/utpolicy -a -M -s both -r both

This example configures the Authentication Manager to allow self-registration of users both with or without smart cards, and NSCM sessions are enabled.

3. Initialize Sun Ray services.

a. Type this command to restart the Authentication Manager.

# /opt/SUNWut/sbin/utrestart -c

This command clears all active and detached sessions

b. Repeat Step a on each secondary Sun Ray server if in a failover group.