A client (a Sun Ray Client or Oracle Virtual Desktop Client) that supports client authentication has a public-private key pair for client authentication. The key pair for a client is generated when the client first boots with the appropriate firmware.
Older versions of firmware or the firmware that is
preinstalled on Sun Ray Clients delivered from the factory do
not generate keys and do not support client authentication. To
help you identify preinstalled firmware, note that versions of
preinstalled firmware start with MfgPkg.
You must provision the clients with firmware that is delivered
with Sun Ray Software in order to have keys generated.
When a client connects to a server and client authentication is enabled, the client sends its public key and a client identifier to the server. For a client, the client identifier is its MAC address. Initially the server can verify only that the client is the owner of the submitted key, but it cannot verify that the client legitimately uses the submitted client ID.
The Sun Ray server stores a list of known clients and their public keys in the Sun Ray data store. A stored key can be marked as confirmed to indicate that authenticity of the key for the given client has been confirmed through human intervention. As long as no key has been marked confirmed for a client, the client authentication feature can ensure only that a client identifier is not used by multiple different clients with different keys. Only when the key has been verified and marked confirmed can the client authentication actually authenticate the identity of the client.
Keys for Oracle Virtual Desktop Clients are not stored in the data store and they are not displayed by the utkeyadm command or Admin GUI. Instead, an Oracle Virtual Desktop Client uses its key fingerprint as a client identifier so that the authenticity of the key for the given ID is established automatically. For more information, see Section 8.5, “Key Fingerprint”.
By default, a client with an unconfirmed key is granted a session unless the identity of the client has been used with a different key. Multiple keys submitted for a client might indicate an attack on sessions for this client, so session access is denied for this client. A user needs to explicitly confirm one of the keys as being authentic to re-enable access for the client.
You can select a stricter policy that requires authenticated client identities and denies access to any client whose key is not verified and confirmed by using the utpolicy command or the Admin GUI. If you choose to use this policy, you must explicitly mark the key for every new client as 'confirmed' before the client can be used. To use this policy to full effect, you should also set the client authentication mode to 'hard' in the security configuration.
You can use the utkeyadm command to manage client identities and their associated keys. All keys that are used for a client are listed by the key management tools.
With the utkeyadm command, you can perform the following actions:
List keys associated to known clients and their status
Confirm a client key after verifying its authenticity. If multiple unconfirmed keys are stored for a client, all other keys are deleted when one is confirmed as authentic.
Delete invalid or stale key entries
Export key data for all or selected client identities for backup and for transfer to other Sun Ray server instances
Import key data that has been exported on this or another Sun Ray server instance
You can also view, confirm, or delete associated keys for a client through the client's Desktop Properties page in the Admin GUI.