Oracle MiniCluster supports smart cards that are based on Public Key Infrastructure (PKI) credentials for authentication to Application and Database VMs. Two-factor authentication using US.. DoD Common Access Card (CAC) and U.S. Government-issued Personal Identity Verification (PIV) cards are supported for SSH clients who use a smart card and smart card reader. Smart card authentication does not support mcinstall and oracle users.
Smart cards use a PIN, rather than a password. The smart card is protected from misuse by the PIN, which is known only to the smart card's owner. To use the smart card, insert the card in a smart card reader that is attached to a computer and type the PIN when prompted. The smart card can be used only by someone who possesses the smart card and knows the PIN. For SSH use, a CAC, PIV, or X.509 certificate-based smart card should remain in the reader for the duration of the session. When the smart card is removed from the reader, the credentials are unavailable in the existing SSH session and to any applications.
You should use OpenSSH libraries for SSH clients. When OpenSSH is enabled, you must also enable OpenSSL in FIPS-140 mode, because OpenSSH relies on them in the Oracle MiniCluster STIG environment. Type the following to enable OpenSSL in FIPS-140 mode:
# pkg set-mediator -I fips-140 openssl
To learn how to access the Oracle Solaris environment in MiniCluster Application and Database VMs with a smart card and log in to the Solaris environment, refer to Chapter 7, Using Smart Cards for Multifactor Authentication in Oracle Solaris in Managing Kerberos and Other Authentication Services in Oracle Solaris 11.3.