Sun Microsystems Network Card and Citrix User Manual

Sun Ray, Smart Cards, and Citrix  
Enabling Sun Ray Smart Card Pass-through to Citrix  
Sun Microsystems, Inc.  
4150 Network Circle  
Santa Clara, CA 95054 U.S.A.  
650-960-1300  
May 2004, Version 1.0  
 
Overview  
2
3
Installation Notes  
Configuring and Testing Citrix Smart Card Support  
5
6
To Install and Configure Citrix ICA Client  
Required Reading/Other Resources 10  
6
iii  
 
iv Book Title • Month 2004  
 
Enabling Sun RaySmart Card  
Pass-through to Citrix  
This document is designed to help users configure the Sun Ray environment so that  
the smart card channel is available from the Citrix Server to the Sun Ray desktop. It  
covers the software required to establish this channel as well as how to install,  
configure, and test the feature.  
Note – The information in this document supersedes the requirement for the PC/SC  
Lite package as listed in the Citrix Administrators Guide for UNIX ICA Clients in so far  
as it applies to Sun Ray configuration.  
NB: This is not applicable to other Sun workstations.  
Overview  
The primary (or out-of-the-box) function of smart cards in a Sun Ray environment is  
to provide session mobility via the hot desking feature of the Sun Ray Server and its  
clients, or desktop units (DTU). However, some smart cards, when combined with  
middleware, also enable the ability to provide strong, two-factor authentication for  
access control and the ability to digitally sign, encrypt, and decrypt files, email, etc.  
It is also possible to use Citrix MetaFrame™ XP to extend this functionality from the  
Sun Ray environment to a Windows environment. Citrix MetaFrame XP added  
smart card support in Feature Release 2 and enabled this support on the client side  
starting with the 6.30 version of ICA® Client for Solaris™/SPARC®.  
1
 
 
The end result is that a Sun Ray user can perform certain tasks in a Windows  
environment, including:  
PIN-based logins  
Digital signing, encrypting, and decrypting of email messages from Windows-  
based email clients such as Microsoft Outlook.  
Note – The configuration of Citrix and Windows servers and potential applications,  
including smart card middleware, to be smart card-aware is beyond the scope of this  
document; however, pointers are given where appropriate.  
Software Requirements  
The following software is required to ensure the proper operation of smart card  
pass-through from the Sun Ray DTU to the Citrix Server.  
Solaris Operating Environment  
The only Solaris requirements are those that are required by Sun Ray Server  
Software 2.0:  
Solaris 9 Update 1 or better with the latest Solaris Cluster Patch or  
Solaris 8 Update 7 or better with the latest Solaris Cluster Patch  
Sun Ray Server Software and Patches  
Sun Ray Server 2.0  
Sun Ray Server Patch 114880-04 or later  
2
Sun Ray, Smart Cards, and Citrix • May 2004  
 
     
Sun Ray PC/SC Bypass  
Sun library to provide direct access to the Sun Ray smart card reader via the  
PC/SC API bypassing both the Open Card Framework (OCF) and the Solaris  
Card Framework (SCF).  
Package name is SUNWsrcbp.Use version 1.0_07 or later.  
Available from the Sun download center free of charge.  
Citrix Client  
Citrix ICA Client for Solaris/SPARC 6.30 or better. The current version as of this  
writing is 7.02.  
2755&downloadID=3283#top  
Microsoft/Citrix Server Components  
Windows 2000 or 2003 with the latest Service Pack and Hot fixes  
Citrix MetaFrame XP (a, s, or e) FR2 or better  
See “Using Smart Cards” in Citrix MetaFrame Advanced Concepts Guide  
9534/Feature_Release_3_Advanced_Concepts.pdf  
Smartcard Client software installed in Citrix Server  
(such as ActivCard or Netsign)  
Hardware Requirements  
The following hardware is required to ensure the proper operation of smart card  
pass-through from the Sun Ray DTU to the Citrix Server.  
Sun Ray thin client (No specific DTU model)  
Sun SPARC-based Server (i.e., Sun Ray Server)  
Intel Server (For Windows/Citrix Server)  
Enabling Sun Ray™ Smart Card Pass-through to Citrix  
 
3
       
Sun Ray Requirements  
Configuring your Sun Ray Server to allow smart card support for Citrix sessions  
requires the following steps:  
1. Ensure that you are running a current version of Solaris that supports Sun Ray  
Server Software 2.0.  
2. Apply the latest Solaris Cluster Patch.  
3. Apply the latest Sun Ray Server Patch 114880.  
The current version as of this document is 114880-04  
4. Ensure that smart card middleware is installed on the Citrix Server  
5. Install the Sun Ray PC/SC Bypass package.  
Patch 114880-04 or later must be installed prior to installation  
6. Configure/test Citrix ICA Client for Solaris/SPARC.  
The first four steps are either general Solaris administration tasks or are beyond the  
scope of this document, such as installing third-party middleware on the Citrix  
Server. The steps that deal with installing Sun Ray PC/SC Bypass and configuring  
and testing the ICA client are covered in detail below.  
Smart Card Requirements  
Microsoft Windows natively supports a limited number of smart cards. It is  
important to have the correct drivers for the smart cards to be used in this  
environment. Support for various smart cards varies by smart card client software  
(often referred to as middleware) installed on the Citrix Server. For example, the U.S.  
Department of Defense Common Access Card is not natively supported by Windows  
and requires that middleware be installed on the Citrix Server (i.e. ActivCard for  
CAC, Netsign CAC, Schlumberger CACtus, etc.).  
Cards supported with Windows 2003 Server can be viewed here:  
/technet/prodtechnol/windowsserver2003/proddocs/entserver/sag_SC_us  
e_sctypes.asp  
Cards supported with Windows 2000 Server can be viewed here:  
=/windows2000/en/server/help/sag_SC_use_sctypes.htm  
4
Sun Ray, Smart Cards, and Citrix • May 2004  
 
   
Note – If you connect to a Windows Server and receive the following message:  
The card supplied requires drivers that are not on the system. Please try another card.  
then you do not have a supported smart card for Windows and need middleware to  
support your smart card in a Windows environment.  
Installing the Sun Ray PC/SC Bypass  
Note – Make sure that patch 114880-04 or later is installed before installing the Sun  
Ray PC/SC Bypass.  
1. Get the SUNWsrcbp package from the Sun Download Center.  
2. Extract the package.  
3. Install the SUNWsrcbp package via pkgadd.  
Installation Notes  
A reboot of the server or a restart of Sun Ray Services should not be required;  
however, the use of ActivCard Gold for Solaris or other implementations of PC/SC  
lite, such as MUSCLE, may require a reboot.  
If the Sun Ray PC/SC Bypass is used in conjunction with ActivCard Gold for Solaris,  
the following additional tasks must be performed to allow the ActivCard product to  
operate correctly:  
1. Remove /etc/rc3.d/S99pcscd  
2. Rename /usr/local/acgold/lib/libpcsclite.so to  
/usr/local/acgold/lib/libpcsclite.ac  
3. Symlink (ln –s) /opt/SUNWut/lib/libpcsc-srcom.so to  
/usr/local/acgold/lib/libpcsclite.so  
Enabling Sun Ray™ Smart Card Pass-through to Citrix  
 
5
 
Configuring and Testing Citrix Smart  
Card Support  
This document assumes that you know how to install and create connections using  
the Citrix ICA Client. For information on installing and configuring the Citrix Client  
for UNIX please read the Administrators Guide available at:  
/docs/UnixCAG.pdf  
To Install and Configure Citrix ICA Client  
1. Install the latest Citrix ICA Client for Solaris (SPARC).  
Use the latest version available from http://www.citrix.com/download  
2. Uncompress and extract the distribution.  
3. Run setupwfc from the location to which the distribution was extracted.  
4. Take all defaults (install in /usr/lib/ICAClient).  
If this step is not followed, the ICAROOT variable must set for each user  
5. Launch the Citrix Client.  
# /usr/lib/ICAClient/wfcmgr  
6
Sun Ray, Smart Cards, and Citrix • May 2004  
 
   
The Citrix ICA Client for Solaris window appears.  
FIGURE 1  
Citrix ICA Client for Solaris Window  
6. Highlight the Connection you wish to test Smart Card support for, and click the  
properties button.  
Enabling Sun Ray™ Smart Card Pass-through to Citrix  
7
 
The Connection Properties Screen appears.  
FIGURE 2  
Connection Properties Screen  
a. Select the drop down box labeled Network and select Login.  
This presents the properties screen for Logon attributes.  
b. For testing purposes, check the box labeled Allow Smart Card Logon.  
c. Click OK.  
d. Launch your connection.  
8
Sun Ray, Smart Cards, and Citrix • May 2004  
 
When the Windows Desktop or Published Application appears, you should be  
prompted for a PIN-based Login  
.
FIGURE 3  
Windows Desktop with Prompt for PIN-based Login  
Note – If you connect to a Windows Server and receive the following message:  
The card supplied requires drivers that are not on the system. Please try another card.  
then you do not have a supported smart card for Windows and need middleware to  
support your smart card in a Windows environment; however, this message  
indicates that the smart card channel is operating correctly.  
You have now successfully enabled and tested the smart card channel from the Sun  
Ray DTU to the Citrix Server.  
Enabling Sun Ray™ Smart Card Pass-through to Citrix  
 
9
Note – Unless your Windows environment is configured to perform PIN-based  
logins (either via a Microsoft Certificate Server infrastructure or via middleware)  
you should disable the Allow Smart Card Logon option for your Citrix Connection.  
It is important to note that this does NOT disable the smart card channel for use  
with other smart card-aware applications; it is just a very simple way to test the  
channel.  
Required Reading/Other Resources  
Smart card support in a Citrix environment depends on more than just the  
communication channel being established. Out-of-the-box Citrix smart card support  
is limited to logins only. Unfortunately, smart card-based logins are not trivial and  
require a fair amount of work to ensure proper operation. For more information on  
configuring the Windows environment for smart card logins see the following  
Microsoft article:  
For information on enabling Smart Card Logon with Third Party Certification  
Authorities (such as would be the case with the Common Access Card) please see  
the following Microsoft Knowledge Base article:  
Administrators of Citrix environments must configure Citrix to allow other  
applications, such as Outlook, middleware utilities, etc., to use the smart card  
channel. Use the SCCONFIG utility. For more information on using smart cards and  
Citrix please see the Citrix Advanced Concepts Guide.  
9534/Feature_Release_3_Advanced_Concepts.pdf  
10  
Sun Ray, Smart Cards, and Citrix • May 2004  
 
 

Solid State Logic Stereo System XR622 User Manual
Sony Clock Radio FX483 User Manual
Sony Security Camera SNCVM600 User Manual
Sony Stereo Receiver STR AV220 User Manual
Sony TV DVD Combo KDL52V4100 User Manual
Spectra Logic Server NTIER700 User Manual
Star Tech Development Switch SV211KUSB User Manual
Sylvania Clock Radio SCR4947 User Manual
Talkswitch Switch CTTS005002606 User Manual
Tanaka Trimmer TPE 250 User Manual