A client (a Sun Ray Client or Oracle Virtual Desktop Client) that supports client authentication has a public-private key pair for client authentication. The key pair for a client is generated when the client first boots with the appropriate firmware.
Older versions of firmware or the firmware that is preinstalled
on Sun Ray Clients delivered from the factory do not generate
keys and do not support client authentication. To help you
identify preinstalled firmware, note that versions of
preinstalled firmware start with MfgPkg
. You
must update the firmware on the Sun Ray Clients in order to have
keys generated.
When a client connects to a server and client authentication is enabled, the client sends its public key and a client identifier to the server. For a Sun Ray Client, the client identifier is its MAC address. Initially the server can verify only that the client is the owner of the submitted key, but it cannot verify that the client legitimately uses the submitted client ID.
The Sun Ray server stores a list of known clients and their public keys in the Sun Ray data store. A stored key can be marked as confirmed to indicate that authenticity of the key for the given client has been confirmed through human intervention. As long as no key has been marked confirmed for a client, the client authentication feature can ensure only that a client identifier is not used by multiple different clients with different keys. Only when the key has been verified and marked confirmed can the client authentication actually authenticate the identity of the client.
Keys for Oracle Virtual Desktop Clients are not stored in the data store and they are not displayed by the utkeyadm command or Admin GUI. Instead, an Oracle Virtual Desktop Client uses its key fingerprint as a client identifier so that the authenticity of the key for the given ID is established automatically. For more information, see Section 11.3.1, “Key Fingerprint”.
By default, a client with an unconfirmed key is granted a session unless the identity of the client has been used with a different key. Multiple keys submitted for a client might indicate an attack on sessions for this client, so session access is denied for this client. A user needs to explicitly confirm one of the keys as being authentic to re-enable access for the client.
You can select a stricter policy that requires authenticated client identities and denies access to any client whose key is not verified and confirmed by using the utpolicy command or the Admin GUI. If you choose to use this policy, you must explicitly mark the key for every new client as 'confirmed' before the client can be used. To use this policy to full effect, you should also set the client authentication mode to 'hard' in the security configuration.
You can use the utkeyadm command to manage client identities and their associated keys. All keys that are used for a client are listed by the key management tools.
With the utkeyadm command, you can perform the following actions:
List keys associated to known clients and their status
Confirm a client key after verifying its authenticity. If multiple unconfirmed keys are stored for a client, all other keys are deleted when one is confirmed as authentic.
Delete invalid or stale key entries
Export key data for all or selected client identities for backup and for transfer to other Sun Ray server instances
Import key data that has been exported on this or another Sun Ray server instance
You can also view, confirm, or delete associated keys for a client through the client's Desktop Properties page in the Admin GUI.
A key fingerprint is a name for a key and it is what the user can see. A key fingerprint is generated by an MD5 hash based on the public key data.
You can view the key fingerprint for a client in the key panel. To display the key panel, press Stop-K on an Oracle keyboard or Ctrl-Pause-K on a non-Oracle keyboard. To verify the authenticity of a client key, you can compare the key fingerprint displayed in the client's key panel with the one shown by the utkeyadm command for the same client.
Sun Ray Client keys are initially considered unconfirmed and need to be confirmed as authentic for the specific client by human intervention. Oracle Virtual Desktop Client keys are always considered automatically confirmed (auto-confirmed), because the ID by which a Desktop Access Client is identified is uniquely derived from its key.
The following procedure sets the policy that a confirmed key is required before access to a client is granted. To enact a stronger policy, you should also set up the security policy to require client authentication from all clients, as described in Section 11.2.5, “How to Force Client Authentication From All Clients”.
View the current policies:
# utpolicy Current Policy: -a -g -z both -k pseudo -u pseudo
Set the client authentication policy with the
-c
option:
# utpolicy -a -g -z both -k pseudo -u pseudo -c
Restart the Sun Ray services:
# utstart
On the Advanced > System Policy tab page, select the Client Key Confirmation Required option in the Client Authentication section.
Restart all servers in the server group.
This procedure is required if a client receives a Keyerror (49) or Session Refused (50) icon due to conflicting or unconfirmed keys. Once the key is confirmed, you must disconnect the client by rebooting or inserting and removing a smart card to access a session after the change.
View the unconfirmed keys (key fingerprints) for all or specific clients.
To determine whether an unconfirmed client key really belongs to that client, display the key fingerprint for the client by pressing Stop-K.
# utkeyadm -a -c IEEE802.000000ee0d6b 1 key confirmed . # utkeyadm -a -c IEEE802.00000f85f52f -k 1c:d4:b9:31:9d:f0:00:ba:db:ad:65:6c:8e:80:4d:b3 1 key confirmed .
Go to the Desktop Unit Properties page for a single client.
In the Client Keys table, select a single key and click Confirm.
If you are certain that all clients requiring key confirmation have been connected to the server group (their genuine keys are stored on the server) and if you are certain that no unwanted clients have keys stored on the server, then you can summarily confirm all known unconfirmed keys. If conflicting keys exist for a client, that client will be skipped.
Display all the client keys.
# utkeyadm -l -H
For example:
# utkeyadm -l -H CID TYPE KEY-FINGERPRINT STATUS IEEE802.00000adc1a7a DSA* 4f:98:25:60:3b:fe:00:ba:db:ad:56:32:c3:e2:8b:3e confirmed IEEE802.00000f85f52f DSA* 1c:d4:b9:31:9d:f0:00:ba:db:ad:65:6c:8e:80:4d:b3 unconfirmed IEEE802.00000f85f52f DSA* 4f:98:25:60:3b:fe:00:ba:db:ad:56:32:c3:e2:8b:3e unconfirmed IEEE802.00000fe4d445 DSA* 13:d0:d4:47:aa:7f:00:ba:db:ad:26:3a:17:25:11:24 unconfirmed IEEE802.000000ee0d6b DSA* d0:d7:d0:57:12:18:00:ba:db:ad:b7:0f:5a:c0:8b:13 unconfirmed
Confirm all unconfirmed client keys.
# utkeyadm -a -U Skipping cid=IEEE802.00000f85f52f: Multiple (2) keys found. 2 keys confirmed.
Using the previous example, the unconfirmed client keys for
IEEE802.00000fe4d445
and
IEEE802.000000ee0d6b
are confirmed.
To display the key fingerprint for a client, press the Stop-K key combination on an Oracle keyboard or Ctrl-Pause-K on a non-Oracle keyboard.
If the key panel does not display, the client might have old firmware installed that doesn't support client authentication.
If the message No key available
is displayed,
the client still has preinstalled MfgPkg
firmware or a bug exists.
This procedure shows how to display client keys in the data
store. For additional options to display client keys, see the
utkeyadm
man page.
Use the utkeyadm command.
# utkeyadm -l -H
For example:
# utkeyadm -l -H CID TYPE KEY-FINGERPRINT STATUS IEEE802.00000adc1a7a DSA* 4f:98:25:60:3b:fe:00:ba:db:ad:56:32:c3:e2:8b:3e confirmed IEEE802.00000f85f52f DSA* 1c:d4:b9:31:9d:f0:00:ba:db:ad:65:6c:8e:80:4d:b3 unconfirmed IEEE802.00000f85f52f DSA* 4f:98:25:60:3b:fe:00:ba:db:ad:56:32:c3:e2:8b:3e unconfirmed IEEE802.00000fe4d445 DSA* 13:d0:d4:47:aa:7f:00:ba:db:ad:26:3a:17:25:11:24 unconfirmed IEEE802.000000ee0d6b DSA* d0:d7:d0:57:12:18:00:ba:db:ad:b7:0f:5a:c0:8b:13 unconfirmed
For multiple clients, click the Desktop Units tab.
The Client Key Status column indicates whether the client has a key in a confirmed or unconfirmed status, whether the client has multiple unconfirmed keys creating a conflict, or whether a key exists for the client. The possible Client Key Status values are None, Unconfirmed, Confirmed, Conflict, Automatic, or Invalid.
This procedure shows how to display client keys in the data
store. For additional options to display client keys, see the
utkeyadm
man page.
Use the utkeyadm command.
# utkeyadm [-l|-L] -c cid
-H
where
is
the desktop ID of the client and cid
-L
displays additional auditing information.
The following example displays all keys for the IEEE802.0003ba0d93af client with additional auditing information.
# utkeyadm -L -c IEEE802.0003ba0d93af -H CID TYPE KEY-FINGERPRINT STATUS CREATED CONFIRMED CONFIRMED BY IEEE802.0003ba0d93af DSA* 4f:98:25:60:3b:fe:d6:f8:fb:38:56:32:c3:e2:8b:3e unconfirmed 2009-06-01 05:08:50 UTC -
For a single client, go to the Desktop Unit Properties page.
The Client Keys table shows the known keys and their status for the client.
To delete a specific client key, use the following command:
# utkeyadm -d -ccid
-kkey-id
where
is
the desktop ID of the desktop to which the key belongs and
cid
is the
key fingerprint.
key-id
For example:
# utkeyadm -d -c IEEE802.00000f85f52f -k 1c:d4:b9:31:9d:f0:00:ba:db:ad:65:6c:8e:80:4d:b3 1 key deleted .