11.7. Managing Client Keys

11.7.1. How to Confirm a Specific Client Key
11.7.2. How to Confirm All Unconfirmed Client Keys
11.7.3. How to Display a Client's Fingerprint Key from a Sun Ray Client
11.7.4. How to Display All Client Keys
11.7.5. How to Display All Keys for a Specific Client
11.7.6. How to Delete a Specific Client Key
11.7.7. How to Delete All Client Keys for a Specific Client

11.7.1. How to Confirm a Specific Client Key

This procedure is required if a client receives a Keyerror (49) or Session Refused (50) icon due to conflicting or unconfirmed keys. Once the key is confirmed, you must disconnect the client by rebooting or inserting and removing a smart card to access a session after the change.

Before You Begin

  • View the unconfirmed keys (key fingerprints) for all or specific clients.

  • To determine whether an unconfirmed client key really belongs to that client, display the key fingerprint for the client by pressing Stop-K.

Command-Line Steps

# utkeyadm -a -c IEEE802.000000ee0d6b
1 key confirmed .
# utkeyadm -a -c IEEE802.00000f85f52f -k 1c:d4:b9:31:9d:f0:00:ba:db:ad:65:6c:8e:80:4d:b3
1 key confirmed .

Admin GUI Steps

  1. Go to the Desktop Unit Properties page for a single client.

  2. In the Client Keys table, select a single key and click Confirm.

11.7.2. How to Confirm All Unconfirmed Client Keys

If you are certain that all clients requiring key confirmation have been connected to the server group (their genuine keys are stored on the server) and if you are certain that no unwanted clients have keys stored on the server, then you can summarily confirm all known unconfirmed keys. If conflicting keys exist for a client, that client will be skipped.

  1. Display all the client keys.

    # utkeyadm -l -H

    For example:

    # utkeyadm -l -H
    CID TYPE KEY-FINGERPRINT STATUS
    IEEE802.00000adc1a7a DSA* 4f:98:25:60:3b:fe:00:ba:db:ad:56:32:c3:e2:8b:3e confirmed
    IEEE802.00000f85f52f DSA* 1c:d4:b9:31:9d:f0:00:ba:db:ad:65:6c:8e:80:4d:b3 unconfirmed
    IEEE802.00000f85f52f DSA* 4f:98:25:60:3b:fe:00:ba:db:ad:56:32:c3:e2:8b:3e unconfirmed
    IEEE802.00000fe4d445 DSA* 13:d0:d4:47:aa:7f:00:ba:db:ad:26:3a:17:25:11:24 unconfirmed
    IEEE802.000000ee0d6b DSA* d0:d7:d0:57:12:18:00:ba:db:ad:b7:0f:5a:c0:8b:13 unconfirmed
  2. Confirm all unconfirmed client keys.

    # utkeyadm -a -U
    Skipping cid=IEEE802.00000f85f52f: Multiple (2) keys found.
    2 keys confirmed.

    Using the previous example, the unconfirmed client keys for IEEE802.00000fe4d445 and IEEE802.000000ee0d6b are confirmed.

11.7.3. How to Display a Client's Fingerprint Key from a Sun Ray Client

To display the key fingerprint for a client, press the Stop-K key combination on a Sun keyboard or Ctrl-Pause-K on a non-Sun or PC keyboard.

If the key panel does not display, the client might have old firmware installed that doesn't support client authentication.

If the message No key available is displayed, the client still has preinstalled MfgPkg firmware or a bug exists.

11.7.4. How to Display All Client Keys

This procedure shows how to display client keys in the data store. For additional options to display client keys, see the utkeyadm man page.

Command Line Steps

  • Use the utkeyadm command.

    # utkeyadm -l -H

    For example:

    # utkeyadm -l -H
    CID TYPE KEY-FINGERPRINT STATUS
    IEEE802.00000adc1a7a DSA* 4f:98:25:60:3b:fe:00:ba:db:ad:56:32:c3:e2:8b:3e confirmed
    IEEE802.00000f85f52f DSA* 1c:d4:b9:31:9d:f0:00:ba:db:ad:65:6c:8e:80:4d:b3 unconfirmed
    IEEE802.00000f85f52f DSA* 4f:98:25:60:3b:fe:00:ba:db:ad:56:32:c3:e2:8b:3e unconfirmed
    IEEE802.00000fe4d445 DSA* 13:d0:d4:47:aa:7f:00:ba:db:ad:26:3a:17:25:11:24 unconfirmed
    IEEE802.000000ee0d6b DSA* d0:d7:d0:57:12:18:00:ba:db:ad:b7:0f:5a:c0:8b:13 unconfirmed

Admin GUI Steps

  • For multiple clients, click the Desktop Units tab.

    The Client Key Status column indicates whether the client has a key in a confirmed or unconfirmed status, whether the client has multiple unconfirmed keys creating a conflict, or whether a key exists for the client. The possible Client Key Status values are None, Unconfirmed, Confirmed, Conflict, Automatic, or Invalid.

11.7.5. How to Display All Keys for a Specific Client

This procedure shows how to display client keys in the data store. For additional options to display client keys, see the utkeyadm man page.

Command-Line Steps

  • Use the utkeyadm command.

    # utkeyadm [-l|-L] -c cid -H
    

    where cid is the desktop ID of the client and -L displays additional auditing information.

Example

The following example displays all keys for the IEEE802.0003ba0d93af client with additional auditing information.

# utkeyadm -L -c IEEE802.0003ba0d93af -H
CID TYPE KEY-FINGERPRINT STATUS CREATED CONFIRMED CONFIRMED BY
IEEE802.0003ba0d93af DSA* 4f:98:25:60:3b:fe:d6:f8:fb:38:56:32:c3:e2:8b:3e unconfirmed 
2009-06-01 05:08:50 UTC -

Admin GUI Steps

  • For a single client, go to the Desktop Unit Properties page.

    The Client Keys table shows the known keys and their status for the client.

11.7.6. How to Delete a Specific Client Key

  • To delete a specific client key, use the following command:

    # utkeyadm -d -c cid -k key-id
    

    where cid is the desktop ID of the desktop to which the key belongs and key-id is the key fingerprint.

    For example:

    # utkeyadm -d -c IEEE802.00000f85f52f -k 1c:d4:b9:31:9d:f0:00:ba:db:ad:65:6c:8e:80:4d:b3
    1 key deleted .

11.7.7. How to Delete All Client Keys for a Specific Client

  • To delete all client keys for a specific client, type the following command:

    # utkeyadm -d -c cid
    

    where cid is the desktop id of the desktop to which the keys belong.

    For example:

    # utkeyadm -d -c IEEE802.00000f85f52f
    2 keys deleted.