Regards,
Alan
Michael
Bender
<[EMAIL PROTECTED]
un.COM> To
Sent by: SunRay-Users mailing
list sunray-users-boun
<[email protected]>
[EMAIL PROTECTED] cc
Subject 12/07/2007 02:17 Re: [SunRay-Users]
Non-supported smart
cards
Please respond
to
[EMAIL PROTECTED]
n.COM;
Please
respond to
SunRay-Users
mailing
list
<[EMAIL PROTECTED]
ibeto.org>
Seth/Alan,
Talk to your Sun sales rep (or VAR). Mine was willing to send a couple
of our sample cards to the appropriate engineers at Sun. They were
able
to test them and create a config file for me. They're also going to
try
to bundle it with the next release of SRSS.
I did that work ;-) We're trying to get out of the business of writing
custom smartcard config files however. I wrote a white paper a while
back that describes how you can create you own custom smartcard config
file so that you can support whatever cards you'd like to use on Sun
Ray,
unfortunately that paper isn't publically available yet since I've got
to go through it and do some more cleanup before we can release it. My
goal is to get that done by the end of July so that anyone can download
the paper from Sun's website.
In the meantime, I can answer your questions. Sun Ray uses a set of
smartcard config files that are installed in /etc/opt/SUNWut/smartcard
to try to identify the card that is inserted into the Sun Ray DTU. A
config file has one simple goal in life - it either returns a unique
token or it tells the system that it couldn't identify the card. When
it returns a token, the format is: <token type>.<token ID> (without the
<>'s, so that you will see tokens such as:
Payflex.12345678
OpenPlatform.85987474737848
and so on. There is no requirement that the token type or token ID be
in any specific format, although by convention the token type is the
name of the card or card family, and the token ID is some unique ID
from the card. That unique ID can be a card serial number, the CUID
from an OpenPlatform card, or any other string that is unique to that
card.
To see how this stuff works, have a look at the smartcard config files
in /etc/opt/SUNWut/smartcard. You'll see that some files use the card's
ATR to help identify the card, others use a sequence of APDUs that
are particular to that card/card family, while others use some
combination
of the two things. Extracting a unique ID from the card is also highly
card dependent, so there is no single APDU that can be used for this
(+1 to the 30+ year old smartcard industry for not coming up with even
the basic principle of a generic way to extract a unique ID :-().
So, for your card, you'll need to know two things:
1. What can you use from the card to identify that it's your
card - the more specific you can be, the better since there
is less chance that your rules will incorrectly identify
other cards.
2. What you need to do to extract a unique ID out of the card.
You have only two mechanisms at your disposal - the card's ATR and
the ability to exchange APDUs with the card. That's it. There is no
I/O to the user, no way to talk to some local or network service, so
that means that whatever mechanism you choose do do both #1 and #2,
it has to work without any user intervention - i.e. no user PIN being
entered for example.
Once you figure that all out, then you can write your own smartcard
config file using the existing files as templates. It helps if you
are familiar with stack-based languages such as Forth since the config
files are written in the SwapDrop language.
mike
----
Seth
[EMAIL PROTECTED] wrote:
Hi,
How do I get the SunRay 2FS DTU to read unsupported smart cards (like
ASK)?
And what command does the SunRay DTU issue to the smart card and then
read
off the token ID (e.g. Payflex.500db2e800130200, from a Sun Java
card or
GEMPLUS-MPCOS_16K...., GEMPlus card. )?
We are switching from our regular GEMPlus cards to ASK cards and the
newer
ASK cards are not recognised by the DTU. And I need to use the
cards to
map
the desktop VM (VMware VDI solution) to a user.
Thanks for the help.
Regards,
Alan
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
***************************************************************************
IMPORTANT NOTICE:
This email and any files transmitted with it is intended only for
the use of the person(s) to whom it is addressed, and may
contain information that is privileged, confidential and exempt
from disclosure under applicable law. If you are not the intended
recipient, please immediately notify the sender and delete
the email. Thank you.
***************************************************************************
********************************************************************************
IMPORTANT NOTICE: This email and any files transmitted with it is
intended only for the use of the person(s) to whom it is addressed,
and
may contain information that is privileged, confidential and exempt
from
disclosure under applicable law. If you are not the intended recipient,
please immediately notify the sender and delete the email. Thank you.
********************************************************************************
