To Enable Smartcard on a System

Do the following to enable Solaris Smartcard on a system. This must be done on each system that will use Smartcard authentication. See smartcard(1M), pam_smartcard(5), and ocfserv(1M) for detailed information about Solaris Smartcard commands.

Command Line Example

See "To Enable Smartcard Usage (Command Line)" for instructions.

Smartcard Console Instructions

Select OCF Clients in the Navigation pane.
The Desktop icon is displayed in the Console pane.

Double-click the Desktop icon.
The Configure Clients dialog box is displayed.

Select the Cards/Authentications tab in the dialog box.
The three supported smart cards -- CyberFlex, IButton, and PayFlex -- are listed in the listbox at the left.

Select the radio button labeled "Activate Desktop's Smart Card capabilities."
Note - As soon as you click OK in the Configure Clients dialog box, Smartcard is activated. Be sure you have a working card reader on the system and a smart card configured with your username and password. And be sure you know the PIN on the card or you will be locked out of the system. If you cannot access your system because of Smartcard, rlogin to the system and disable Smartcard by typing, as superuser: smartcard -c disable. You can disable Smartcard from the Configure Clients dialog box by selecting the radio button labeled "Deactivate Desktop's Smart Card Capabilities" and clicking OK.

Click Apply or OK.
Solaris Smartcard is now enabled on the system.

Exit CDE to activate the change.

Other Setup Tasks

If you don't want to use the default values for Smartcard timeouts and card removal actions, you can change them, as described below.

To Set Smartcard Timeouts (Console)

Select OCF Clients in the Navigation pane.

Double-click the Desktops icon in the Console pane.
The Configure Clients dialog box is displayed.

Select the Timeouts tab in the dialog box.

Adjust the timeouts by sliding the indicator for each timeout with the mouse.
- Card Removal timeout - specifies the number of seconds the desktop waits after a smart card is removed before locking the screen; this only applies when the "Ignore Card Removal" box is not checked under the options tab. If Card Removal Logout Wait is set to 0, a user will never be logged out (that is, the screen remains locked until the user reauthenticates to unlock it).
- Reauthentication timeout - specifies the number of seconds the Reauthentication screen is displayed when the card has been removed and the screen is locked.
- Card Removal Logout Wait - specifies the number of seconds the desktop waits for a smart card to be reinserted when the Reauthentication screen is displayed. If the card is not reinserted in time, the user is logged out. Note that this timeout is relevant only when Reauthenticate After Card Removal (in the Options tab) is set to False.

Click Apply or OK.

Exit CDE to activate the change.

To Set Card Removal Options (Console)

Select OCF Clients in the Navigation pane.

Double-click the Desktops icon in the Console pane.
The Configure Clients dialog box is displayed.

Select the Options tab in the dialog box.

Click the checkboxes to toggle them.
- Ignore Card Removal - if checked, nothing happens when a smart card is removed from the reader.
- Reauthenticate After Card Removal - If checked, a user is logged out when a card is removed. If it is not checked, the Card Removal Logout Wait setting (in the Timeouts tab) determines what happens.

Click Apply or OK.

Exit CDE to activate the change.


2. Getting Started With Solaris Smartcard Setting Up a Desktop for Smartcard Login To Change the PIN on a Card


	To Enable Smartcard on a System Do the following to enable Solaris Smartcard on a system. This must be done on each system that will use Smartcard authentication. See `smartcard(1M)`, `pam_smartcard(5)`, and `ocfserv(1M)` for detailed information about Solaris Smartcard commands. Command Line Example See "To Enable Smartcard Usage (Command Line)" for instructions. Smartcard Console Instructions Select OCF Clients in the Navigation pane. The Desktop icon is displayed in the Console pane. Double-click the Desktop icon. The Configure Clients dialog box is displayed. Select the Cards/Authentications tab in the dialog box. The three supported smart cards -- CyberFlex, IButton, and PayFlex -- are listed in the listbox at the left. Select the radio button labeled "Activate Desktop's Smart Card capabilities." Note - As soon as you click OK in the Configure Clients dialog box, Smartcard is activated. Be sure you have a working card reader on the system and a smart card configured with your username and password. And be sure you know the PIN on the card or you will be locked out of the system. If you cannot access your system because of Smartcard, `rlogin` to the system and disable Smartcard by typing, as superuser: `smartcard -c disable`. You can disable Smartcard from the Configure Clients dialog box by selecting the radio button labeled "Deactivate Desktop's Smart Card Capabilities" and clicking OK. Click Apply or OK. Solaris Smartcard is now enabled on the system. Exit CDE to activate the change. Other Setup Tasks If you don't want to use the default values for Smartcard timeouts and card removal actions, you can change them, as described below. To Set Smartcard Timeouts (Console) Select OCF Clients in the Navigation pane. Double-click the Desktops icon in the Console pane. The Configure Clients dialog box is displayed. Select the Timeouts tab in the dialog box. Adjust the timeouts by sliding the indicator for each timeout with the mouse. Card Removal timeout - specifies the number of seconds the desktop waits after a smart card is removed before locking the screen; this only applies when the "Ignore Card Removal" box is not checked under the options tab. If Card Removal Logout Wait is set to 0, a user will never be logged out (that is, the screen remains locked until the user reauthenticates to unlock it). Reauthentication timeout - specifies the number of seconds the Reauthentication screen is displayed when the card has been removed and the screen is locked. Card Removal Logout Wait - specifies the number of seconds the desktop waits for a smart card to be reinserted when the Reauthentication screen is displayed. If the card is not reinserted in time, the user is logged out. Note that this timeout is relevant only when Reauthenticate After Card Removal (in the Options tab) is set to False. Click Apply or OK. Exit CDE to activate the change. To Set Card Removal Options (Console) Select OCF Clients in the Navigation pane. Double-click the Desktops icon in the Console pane. The Configure Clients dialog box is displayed. Select the Options tab in the dialog box. Click the checkboxes to toggle them. Ignore Card Removal - if checked, nothing happens when a smart card is removed from the reader. Reauthenticate After Card Removal - If checked, a user is logged out when a card is removed. If it is not checked, the Card Removal Logout Wait setting (in the Timeouts tab) determines what happens. Click Apply or OK. Exit CDE to activate the change.