InfoDoc ID   Synopsis   Date
21959   Configuring a Sun Ray 1 Enterprise Appliance as a Token Reader   13 Mar 2000

Status Issued

Description 

Configuring a Sun Ray 1 Enterprise Appliance as a Token Reader 
123456789012345678901234567890123456789012345678901234567890123456789012
It is possible to configure one of the Sun Ray 1 enterprise appliances 
attached to the Sun Ray enterprise server as a token reader. You can 
then use thesmart card reader in this Sun Ray 1 appliance to obtain 
smart card token ID's for pre-registration (or other administration).

Note that if you set up one Sun Ray 1 appliance as a token reader, you 
will not be able to use the Hot Desk feature on this appliance (which 
depends on the reading of smart cards), but you should still be able to 
establish a conventional session.

This procedure is also covered in the Sun Ray Enterprise Server Software
1.0 Administrator's Guide, on page 63, under the heading "To Configure a
Token Reader." 

    
    To Configure a Token Reader 

     1. Determine the current authentication policy: 

      # utpolicy

      Reading policy file: /etc/opt/SUNWut/policy/utpolicy

      Policy:

      /opt/SUNWut/sbin/utpolicy -r card -s card -z pseudo


     2. Pick a Sun Ray 1 enterprise appliance to be the smart card token
      ID reader. You can use the utdesktop command to list currently 
      connected Sun Ray 1 enterprise appliances: 

      # utdesktop -lc

      Desktop ID      Location        Current User
      -------------   --------        ------------

      080020b53927

      080020b53d07

      2 desktops currently connected.


     Note, however, that the "Desktop ID" corresponds to the Sun Ray 1 
     enterprise appliance's Ethernet (MAC) address, which is also 
     printed on a label attached to the bottom left of the appliance 
     itself. 

     3. Set a new authentication policy to add the designated appliance 
       as a token reader. 

     Use the utpolicy command with the -a option to set the policy, 
     specifiying the -r, -s and -z values from the previously-displayed 
     current policy and adding the designated appliance as a token 
     reader: 

      # utpolicy -a -r card -s card -z pseudo -t add:080020b53927

      The most recent policy change is significant.


     4. Restart the authentication manager. 

     The authentication manager must be restarted for changes to take 
     effect. If you cannot afford to terminate existing sessions, you 
     can restart the authentication manager without clearing existing 
     sessions. Note that some sessions that were granted access under 
     the old policy may persist. 

         To restart the authentication manager without clearing 
         existing sessions, use the following command: 

          # /opt/SUNWut/sbin/utpolicy -i soft


         To restart the authentication manager and clear existing 
         sessions, use the following command: 

          # /opt/SUNWut/sbin/utpolicy -i clear

          Any command line option other than -i was ignored.

          Waiting 60+ seconds to insure that all SunRay sessions exit...

          Restarting SunRay services

          battered# stopping authentication manager

          starting session manager

          starting authentication manager


         During this time, any sessions will be lost, and the Sun Ray 1 
         enterprise appliances will reset.

         You will now be able to read the token from a smart card using 
         the HTML administration interface, as in this example.



    
    To Unconfigure a Token Reader 



     1. Re-establish the old authentication policy. 

     Display the current policy and then reset it without any -t 
     add:nnnnnnnnnnnn arguments: 

      # utpolicy

      Reading policy file: /etc/opt/SUNWut/policy/utpolicy

      Policy:

      /opt/SUNWut/sbin/utpolicy -r card -s card -z pseudo

      -t clear -t add:CoronaP1.080020b53927

      # utpolicy -a -r card -s card -z pseudo

      The most recent policy change is significant.



     2. Restart the authentication manager. 

     The authentication manager must be restarted for changes to take 
     effect. If you cannot afford to terminate existing sessions, you 
     can restart the authentication manager without clearing existing 
     sessions. Note that some sessions that were granted access under 
     the old policy may persist. 

     To restart the authentication manager without clearing existing 
     sessions, use the following command: 

      # /opt/SUNWut/sbin/utpolicy -i soft


     To restart the authentication manager and clear existing sessions, 
     use the following command: 

      # /opt/SUNWut/sbin/utpolicy -i clear

      Any command line option other than -i was ignored.

      Waiting 60+ seconds to insure that all SunRay sessions exit...

      Restarting SunRay services

      battered# stopping authentication manager

      starting session manager

      starting authentication manager


     During this time, any sessions will be lost, and the Sun Ray 1 
     enterprise appliances will reset.



References 

     utdesktop(1m) manual page 

     utpolicy(1m) manual page 

     utuser(1m) manual page
INTERNAL SUMMARY: 
http://webhome2.eng/iawpubs/5minute/token/token.html
SUBMITTER: Andras Cser APPLIES TO: Hardware, Operating Systems/Solaris/Solaris 2.x ATTACHMENTS:

Copyright (c) 1997-2003 Sun Microsystems, Inc.