Previous to the Sun Ray Software 5.2 release, smart card services were provided by the PC/SC-lite add-on component. In this release, smart card services are automatically installed as part of the Sun Ray Software product.
The Sun Ray Software automatically provides smart card services, such as smart card authentication, through the PC/SC-lite API. PC/SC (Personal Computer/Smart Card) is the standard framework for smart card device access on Windows, Linux, and UNIX platforms.
Custom applications are frequently used to provide the following solutions:
Strong smart card-based authenticated logins and PKCS#11
S/MIME digital signature message signing and encryption
Smart card services include interoperability with the integrated Sun Ray smart card readers on the Sun Ray Clients. External USB readers are supported with the CCID handler, which can be downloaded separately. Smart card services are only available on Solaris-based Sun Ray servers.
The CCID IFD Handler is not provided with the Sun Ray Software 5.2 release. However, you can download the PC/SC-lite 1.3 component from the 5.1.1 Media Pack, which includes the CCID IFD Handler v1.3.10 distribution. Only the CCID IFD handler needs to be installed. PC/SC-lite is already installed with Sun Ray Software 5.2.
This distribution is a Sun Ray implementation of the Interface Device Handler (IFD) for CCID-compliant USB smart card readers for the PC/SC-lite API, derived from the Open Source MUSCLE project. When used in conjunction with the smart card services provided by Sun Ray Software, this IFD handler enables PC/SC-compliant applications and middleware to use external USB smart card readers on Sun Ray Clients.
PC/SC (Personal Computer/Smart Card) is the standard framework for smart card device access on Windows, Linux, and UNIX® platforms.
CCID IFD handler v1.3.10 is supported on Sun Ray servers running Sun Ray Software 5.2.
The CCID IFD handler can be used in two environments:
CCID readers plugged directly into USB ports on a server or workstation (referred to here as a system)
CCID readers plugged into USB ports on a Sun Ray Client
Some behavior differs slightly, primarily because session mobility does not apply to system sessions.
Any use of reader[s] on the server's ports is functionally the same, whether the user is logged into the console or logged in remotely.
A headless system, i.e. one without a console, is a valid non-Sun Ray configuration for PC/SC-lite with CCID support.
Follow these instructions to install the CCID IFD handler.
To install the CCID IFD handler in a Solaris Trusted Extensions environment, perform the installation as root from ADMIN_LOW (global zone).
Download and unpack the CCID IFD handler.
Become superuser on the Sun Ray server.
Install the CCID IFD handler:
# svcadm disable pcscd # /usr/sbin/pkgadd -d . SUNWusb-scrdr # svcadm enable pcscd
Follow these instructions to remove the CCID IFD handler.
Remove this package before removing the PC/SC-lite packages
SUNWpcsc
and
SUNWpcscdtu
.
To uninstall the CCID IFD handler from a Solaris Trusted Extensions environment, perform the uninstallation as root from ADMIN_LOW (global zone).
Become superuser on the Sun Ray server.
Uninstall the CCID IFD handler:
# svcadm disable pcscd # /usr/sbin/pkgrm SUNWusb-scrdr # svcadm enable pcscd
The delay in enumeration of USB readers is only a problem
if the application does not wait for a reader to appear or
if two or more readers are used. If this causes problems,
work around them by running the
startpcsc utility before running the
PC/SC-lite application. This causes an instance of
pcscd to be created and the available
USB readers to be enumerated. The
startpcsc utility is available as part
of the PC/SC-lite download (in the
pcsctools
ZIP file).
If the PC/SC-lite framework is allowed to sit idle for too
long, the system pcscd instance exits.
This causes the same problem to recur. If the system
instance needs to stay resident indefinitely, change
INSTANCE_TIMEOUT
in
/etc/smartcard/pcscd-Local.conf
to -1
(the default value is 600 seconds). This causes the system
instance to stay around until the user's session is
terminated; however, an extra PC/SC-lite process remains
in the process table, using system resources.
Session mobility, resetting, or power-cycling the DTU while using an external smart card reader on that DTU is not supported in this release and can cause applications to freeze, or simply to lose track of the external reader.
Currently, there is a delay of a few seconds before external USB readers become visible to PC/SC-lite client applications. This delay occurs whenever a PC/SC-lite instance is started for a user session, whether on a Sun Ray DTU or in a system, as well as any other time the USB bus needs to be re-enumerated. Specifically, an enumeration delay where external USB readers are not immediately visible to an application occur under the following circumstances:
The first time a PC/SC-lite instance is started. That is, when an application attempts to access PC/SC-lite from within a given session for the first time.
Whenever a PC/SC-lite instance is automatically restarted after the PC/SC-lite self-terminates due to an idle period of inactivity. This is similar to the first case.
Whenever a Session Mobility event occurs, causing a delay in reader visibility while external USB readers on the target DTU are re-enumerated. Session Mobility is not currently supported by the CCID IFD handler for external USB readers on Sun Rays DTUs.
Resetting or power-cycling the DTU in a Sun Ray session.
Certain applications, such as Windows Smart Card login over Sun Ray Windows Connector, are not designed to accommodate enumeration delays associated with the USB hotplug model. Such applications do not see readers that appear after they have initially scanned the PC/SC-lite reader list. In other words, readers that appear late may be missed by an application due to any of the scenarios described above.
Sometimes applications will use the first reader they find. On Sun Ray DTUs, this is invariably the internal reader, unless that reader has been disabled with the following command:
# utdevadm -d -s internal_smartcard_reader
The solution is to ensure that the USB reader list is visible to the application before the application scans the reader list. A way to address this problem within PC/SC-lite is planned for a subsequent update of PC/SC-lite. Meanwhile, the following workarounds allow applications to recognize readers that exhibit enumeration tardiness.
Run PC/SC-lite instance before PC/SC-lite client application
Make sure that the session-specific PC/SC-lite instance is running for several seconds before starting the PC/SC-lite client application, rather than having PC/SC-lite started on behalf of the client application itself. This ensures that USB readers are all listed the first time the client application requests the reader list.
Run the startpcsc utility, which
calls ScardEstablishContext()
,
causing the pcscd
launcher to
ensure that a PC/SC-lite session instance is running,
then waits long enough for the readers to be
instantiated. The startpcsc utility
is available as part of the PC/SC-lite download (in
the pcsctools
ZIP file).
Prevent PC/SC-lite instances from timing out after a pre-specified idle period
Disable instance timeout by editing
/etc/smartcard/pcscd-SunRay.conf
and changing the INSTANCE_TIMEOUT
parameter to -1. The shipping default value is 600
seconds (10 minutes).
When you disable inactivity timeouts by changing
INSTANCE_TIMEOUT
, PC/SC-lite
instances stay around until the user's session is
terminated, which can mean that many PC/SC-lite
processes may be in the process table, using system
resources.
We currently have no data on how much of an impact that might cause as the number of user sessions on a system grows (i.e., we have insufficient data on how that scales). In many cases, it may not be a problem at all, except that the process table will be more cluttered with inactive processes than otherwise.
Session Mobility
The most difficult situation to accommodate is re-enumeration and the enumeration delay associated with session mobility (hotdesking). This does not apply to system users, as only Sun Ray DTUs support session mobility.
Session mobility is not supported for USB readers on Sun Ray DTUs for this update of PC/SC-lite; however, it may be possible to find a workaround. For example, if an application is incapable of handling readers that appear suddenly, then session mobility is likely to confuse the application, since session mobility simulates USB hotplug events with the USB smart card readers.
Workarounds for this probably involve re-starting the application after session mobility, and probably applying the instructions described in Step 1 above.
Disable the internal reader
If you only need the external reader, and not the internal reader - for instance, when users are not identified by their cards and a more functional reader, such as a PIN pad equipped reader is needed - use the following command to disable the internal reader:.
# utdevadm -d -s internal_smartcard_reader
Specify the reader
Use the librdrselect tool, which
enables you to choose just the reader you want. The
librdrselect tool is available as
part of the PC/SC-lite download (in the
pcsctools
ZIP file). Refer to the
librdrselect README for
instructions.