By default, smart card readers attached to Sun Ray Clients are accessible to all users. Sun Ray Software now enables you to configure user access to smart card readers based on the zones configured on the Sun Ray server. Specifically, you can configure which smart card readers are accessible in which zones. Once you configure a smart card reader as being accessible in a zone, users with the appropriate zone permissions can access the smart card reader.
The utdevpolicy command enables you to configure access to smart card readers through device access policies. If you add a policy for at least one smart card reader, all smart card readers are controlled by the currently configured policies.
This access policy feature is available only on Sun Ray servers running Oracle Solaris Trusted Extensions and for internal or external smart card readers attached to Sun Ray Clients.
Here are some general device access policy rules and notes when using the utdevpolicy command, which apply to smart card reader access:
Smart card services must be configured on the Sun Ray server before you can configure access to the smart card readers. This prerequisite includes configuring the CCID IFD handler for external smart card readers. See Section 8.6, “Configuring Smart Card Services” for details.
Device access policy is maintained in the Sun Ray data store and is available to all Sun Ray servers in the same failover group.
You can configure device access policy at the device type or individual device level. For example, you can set a policy for all smart card readers or a specific smart card reader.
When you add a device access policy for a device, the policy is automatically enabled but the device is disabled. You must explicitly enable a device so it can be accessed through its policy.
You must perform a cold restart of Sun Ray services for device access policy changes to take effect.
Refer to the utdevpolicy
man page for more
details.
The utdevpolicy command requires the smart card reader device name when setting policy access.
For a Sun Ray Client's internal smart card reader, the device
name is Sun Ray Smartcard Reader v1 00 00
when using scbus v1 and Sun Ray Smartcard Reader v2 00
00
when using scbus v2. You can use wildcarding to
help shorten this name, such as Sun Ray
Smartcard*
.
For external smart card readers, the device names are listed in
the
/usr/lib/smartcard/ifd-ccid.bundle/Contents/Info.plist
on the Sun Ray server, under the
ifdFriendlyName
key. This file is available
after you install the CCID Handler.
The following example using the utdevpolicy -l shows a list of currently configured smart card reader access policies.
# utdevpolicy -l Device Name Device Type Device Policy pI Device Access Policy ------------------------------------------------------------------------------- ? pcscscr ENABLED ENABLED ZONE=GLOBAL iT ZONE=RESTRICTED * pcscscr ENABLED ENABLED sT ZONE=RESTRICTED SCM SCR 3310 pcscscr ENABLED ENABLED ZONE=secret iT ZONE=RESTRICTED Sun Ray Smartcard* pcscscr ENABLED ENABLED ZONE=CLASSIFIED iT ZONE=RESTRICTED Athena ASE IIIe pcscscr DISABLED ENABLED ZONE=public iT ZONE=RESTRICTED
In this example, the following policy configurations exist for the following devices:
"?
" - Any smart card reader that does not
match any of the specific device names is accessible in the
GLOBAL
zone and is accessible in the
RESTRICTED
zone from the
pcscscr
device type.
"*
" wildcard - All smart card readers
with policies are accessible in the
RESTRICTED
zone.
SCM SCR 3310
- The SCM smart card reader
inherits the RESTRICTED
zone access from
the pcscscr
device type and it is also
accessible in the secret
zone.
Sun Ray Smartcard*
- The Sun Ray Client's
internal smart card reader inherits the
RESTRICTED
zone access from the
pcscscr
device type and it is also
accessible in the CLASSIFIED
zone.
Athena ASE IIIe
- The Athena smart card
reader is not accessible because the device is currently
disabled.
The value of iT
in the pI
column shows the policies that are inherited from the
pcscscr
device type.
This procedure describes how to add an access policy for a smart
card reader. You can use the -m
option instead
of the -a
option to modify the access policy.
Become superuser on the Sun Ray server.
Add an access policy for a smart card reader.
# utdevpolicy -a -t pcscscr -n 'device-name
' -p 'key
=value
[,value
]'
device-name
is the name of a
smart card reader. See
Section 8.7.1, “Determining Smart Card Device Names”
for information about how to get the device name. Add single
quotes around the device name to prevent expansion by the
shell.
You can specify a wildcard character
(*
) in the device name to provide an
access policy for devices with similar names. For
example, the SCM*
device name
provides an access policy for all device names starting
with SCM
.
You can use the wildcard character
(*
) for the device name to specify an
access policy for all smart card readers. Each added
smart card reader will inherit the access policy from
the wildcard device name.
You can use the (?
) character for the
device name to specify an access policy for smart card
readers that do not have a specified policy.
key
=value
is a policy key and its value. You can provide multiple
values separated by commas and the entire policy
specification should be quoted to prevent expansion by the
shell. The following policy key is available for smart card
readers:
ZONE
- This key specifies the zone in
which the smart card reader is accessible. Value is a
zone name, which must be case sensitive and an exact
match of the actual zone name.
Enable the smart card reader to use the access policy.
# utdevpolicy -e -t pcscscr -n 'device-name
'
Restart Sun Ray services.
# /opt/SUNWut/sbin/utstart -c
Verify that the access policy was added properly.
# utdevpolicy -l
The following example adds access to the Sun Ray Client's
internal smart card reader in the
CLASSIFIED
zone.
# utdevpolicy -a -t pcscscr -n 'Sun Ray Smartcard*' -p 'ZONE=CLASSIFIED'
The following example adds access to the external SCM SCR
3310 smart card reader in the secret
and
CLASSIFIED
zone.
# utdevpolicy -a -t pcscscr -n 'SCM SCR 3310' -p 'ZONE=secret,CLASSIFIED'
The following example adds access to all smart card readers
in the GLOBAL
zone.
# utdevpolicy -a -t pcscscr -n '*' -p 'ZONE=GLOBAL'
This procedure describes how to modify an access policy for an existing smart card reader. Modifying a policy replaces the current policy values with the new policy values.
Become superuser on the Sun Ray server.
Modify an access policy for a smart card reader.
# utdevpolicy -m -t pcscscr -n 'device-name
' -p 'key
=value
[,value
]'
device-name
is the device name of
a smart card reader. Add single quotes around the device
name to prevent expansion by the shell. See
Section 8.7.1, “Determining Smart Card Device Names”
for more details.
key
=value
is a policy key and its value. You can provide multiple
values separated by commas, and add single quotes around the
entire policy specification to prevent expansion by the
shell. The following policy key is available for smart card
readers:
ZONE
- This key specifies the zone in
which the smart card reader is accessible. Value is a
zone name, which must be case sensitive and an exact
match of the actual zone name.
Restart Sun Ray services.
# /opt/SUNWut/sbin/utstart -c
Verify that the access policy was modified properly.
# utdevpolicy -l
The following example modifies access to the Sun Ray
Client's internal smart card reader and it is now accessible
in the secret
zone.
# utdevpolicy -m -t pcscscr -n 'Sun Ray Smartcard*' -p 'ZONE=secret'
The following example modifies access to all smart card
readers and they are now all accessible in
CLASSIFIED
zone.
# utdevpolicy -m -t pcscscr -n '*' -p 'ZONE=CLASSIFIED'
This procedure describes how to list all policies currently configured for smart card readers.
List the current access policies for smart card readers.
# utdevpolicy -l
This procedure describes how to disable the current policy for a smart card reader. When you add a policy for a smart card reader, the policy is enabled by default.
When you disable the policy for a smart card reader, the smart card reader is accessible in all zones as if the access policy control feature is not being used. If you want to completely disable access to a smart card reader, you can disable the device as described in Section 8.7.7, “How to Disable Access to a Smart Card Reader”.
Become superuser on the Sun Ray server.
Disable the current policy for a smart card reader.
# utdevpolicy -z policy -t pcscscr -n 'device-name
'
You can use the -e policy
option to enable
the policy again, and you can use the -A -z
policy
option to enable/disable the policies for
all smart card readers.
Restart Sun Ray services.
# /opt/SUNWut/sbin/utstart -c
Verify that the access policy was modified properly.
# utdevpolicy -l
The following example disables the access policy for the Sun Ray Clients' internal smart card reader.
# utdevpolicy -l Device Name Device Type Device Policy pI Device Access Policy ------------------------------------------------------------------------------- SCM SCR 3310 pcscscr ENABLED ENABLED ZONE=secret Sun Ray Smartcard* pcscscr ENABLED ENABLED ZONE=CLASSIFIED # utdevpolicy -z policy -t pcscscr -n 'Sun Ray Smartcard*' # utdevpolicy -l Device Name Device Type Device Policy pI Device Access Policy ------------------------------------------------------------------------------- SCM SCR 3310 pcscscr ENABLED ENABLED ZONE=secret Sun Ray Smartcard* pcscscr ENABLED DISABLED ZONE=CLASSIFIED
This procedure describes how to disable access to a smart card reader.
When you disable a smart card reader, the smart card reader is inaccessible as if it does not exist.
Become superuser on the Sun Ray server.
Disable access to a smart card reader.
# utdevpolicy -z device -t pcscscr -n 'device-name
'
You can use the -e device
option to enable
the device again, and you can use the -A -z
device
option to enable/disable all smart card
readers.
Restart Sun Ray services.
# /opt/SUNWut/sbin/utstart -c
Verify that the access policy was modified properly.
# utdevpolicy -l
The following example disables access to the Sun Ray Client's internal smart card reader.
# utdevpolicy -l Device Name Device Type Device Policy pI Device Access Policy ------------------------------------------------------------------------------- SCM SCR 3310 pcscscr ENABLED ENABLED ZONE=secret Sun Ray Smartcard* pcscscr ENABLED ENABLED ZONE=CLASSIFIED # utdevpolicy -z device -t pcscscr -n 'Sun Ray Smartcard*' # utdevpolicy -l Device Name Device Type Device Policy pI Device Access Policy ------------------------------------------------------------------------------- SCM SCR 3310 pcscscr ENABLED ENABLED ZONE=secret Sun Ray Smartcard* pcscscr DISABLED ENABLED ZONE=CLASSIFIED