Sun Ray™, Smart Cards, and Citrix
Enabling Sun Ray Smart Card Pass-through to Citrix
Sun Microsystems, Inc.
4150 Network Circle
Santa Clara, CA 95054 U.S.A.
650-960-1300
May 2004, Version 1.0
Overview
2
3
Installation Notes
Configuring and Testing Citrix Smart Card Support
5
6
To Install and Configure Citrix ICA Client
Required Reading/Other Resources 10
6
iii
iv Book Title • Month 2004
Enabling Sun Ray™ Smart Card
Pass-through to Citrix
This document is designed to help users configure the Sun Ray environment so that
the smart card channel is available from the Citrix Server to the Sun Ray desktop. It
covers the software required to establish this channel as well as how to install,
configure, and test the feature.
Note – The information in this document supersedes the requirement for the PC/SC
Lite package as listed in the Citrix Administrators Guide for UNIX ICA Clients in so far
as it applies to Sun Ray configuration.
NB: This is not applicable to other Sun workstations.
Overview
The primary (or out-of-the-box) function of smart cards in a Sun Ray environment is
to provide session mobility via the hot desking feature of the Sun Ray Server and its
clients, or desktop units (DTU). However, some smart cards, when combined with
middleware, also enable the ability to provide strong, two-factor authentication for
access control and the ability to digitally sign, encrypt, and decrypt files, email, etc.
It is also possible to use Citrix MetaFrame™ XP to extend this functionality from the
Sun Ray environment to a Windows environment. Citrix MetaFrame XP added
smart card support in Feature Release 2 and enabled this support on the client side
starting with the 6.30 version of ICA® Client for Solaris™/SPARC®.
1
The end result is that a Sun Ray user can perform certain tasks in a Windows
environment, including:
■ PIN-based logins
■ Digital signing, encrypting, and decrypting of email messages from Windows-
based email clients such as Microsoft Outlook.
Note – The configuration of Citrix and Windows servers and potential applications,
including smart card middleware, to be smart card-aware is beyond the scope of this
document; however, pointers are given where appropriate.
Software Requirements
The following software is required to ensure the proper operation of smart card
pass-through from the Sun Ray DTU to the Citrix Server.
Solaris Operating Environment
The only Solaris requirements are those that are required by Sun Ray Server
Software 2.0:
■ Solaris 9 Update 1 or better with the latest Solaris Cluster Patch or
■ Solaris 8 Update 7 or better with the latest Solaris Cluster Patch
Sun Ray Server Software and Patches
■ Sun Ray Server 2.0
■ Sun Ray Server Patch 114880-04 or later
2
Sun Ray, Smart Cards, and Citrix • May 2004
Sun Ray PC/SC Bypass
■ Sun library to provide direct access to the Sun Ray smart card reader via the
PC/SC API bypassing both the Open Card Framework (OCF) and the Solaris
Card Framework (SCF).
■ Package name is SUNWsrcbp.Use version 1.0_07 or later.
■ Available from the Sun download center free of charge.
Citrix Client
■ Citrix ICA Client for Solaris/SPARC 6.30 or better. The current version as of this
writing is 7.02.
2755&downloadID=3283#top
Microsoft/Citrix Server Components
■ Windows 2000 or 2003 with the latest Service Pack and Hot fixes
■ Citrix MetaFrame XP (a, s, or e) FR2 or better
See “Using Smart Cards” in Citrix MetaFrame Advanced Concepts Guide
9534/Feature_Release_3_Advanced_Concepts.pdf
■ Smartcard Client software installed in Citrix Server
(such as ActivCard or Netsign)
Hardware Requirements
The following hardware is required to ensure the proper operation of smart card
pass-through from the Sun Ray DTU to the Citrix Server.
■ Sun Ray thin client (No specific DTU model)
■ Sun SPARC-based Server (i.e., Sun Ray Server)
■ Intel Server (For Windows/Citrix Server)
Enabling Sun Ray™ Smart Card Pass-through to Citrix
3
Sun Ray Requirements
Configuring your Sun Ray Server to allow smart card support for Citrix sessions
requires the following steps:
1. Ensure that you are running a current version of Solaris that supports Sun Ray
Server Software 2.0.
2. Apply the latest Solaris Cluster Patch.
3. Apply the latest Sun Ray Server Patch 114880.
The current version as of this document is 114880-04
4. Ensure that smart card middleware is installed on the Citrix Server
5. Install the Sun Ray PC/SC Bypass package.
Patch 114880-04 or later must be installed prior to installation
6. Configure/test Citrix ICA Client for Solaris/SPARC.
The first four steps are either general Solaris administration tasks or are beyond the
scope of this document, such as installing third-party middleware on the Citrix
Server. The steps that deal with installing Sun Ray PC/SC Bypass and configuring
and testing the ICA client are covered in detail below.
Smart Card Requirements
Microsoft Windows natively supports a limited number of smart cards. It is
important to have the correct drivers for the smart cards to be used in this
environment. Support for various smart cards varies by smart card client software
(often referred to as middleware) installed on the Citrix Server. For example, the U.S.
Department of Defense Common Access Card is not natively supported by Windows
and requires that middleware be installed on the Citrix Server (i.e. ActivCard for
CAC, Netsign CAC, Schlumberger CACtus, etc.).
■ Cards supported with Windows 2003 Server can be viewed here:
/technet/prodtechnol/windowsserver2003/proddocs/entserver/sag_SC_us
e_sctypes.asp
■ Cards supported with Windows 2000 Server can be viewed here:
=/windows2000/en/server/help/sag_SC_use_sctypes.htm
4
Sun Ray, Smart Cards, and Citrix • May 2004
Note – If you connect to a Windows Server and receive the following message:
The card supplied requires drivers that are not on the system. Please try another card.
then you do not have a supported smart card for Windows and need middleware to
support your smart card in a Windows environment.
■ Installing the Sun Ray PC/SC Bypass
Note – Make sure that patch 114880-04 or later is installed before installing the Sun
Ray PC/SC Bypass.
1. Get the SUNWsrcbp package from the Sun Download Center.
2. Extract the package.
3. Install the SUNWsrcbp package via pkgadd.
Installation Notes
A reboot of the server or a restart of Sun Ray Services should not be required;
however, the use of ActivCard Gold for Solaris or other implementations of PC/SC
lite, such as MUSCLE, may require a reboot.
If the Sun Ray PC/SC Bypass is used in conjunction with ActivCard Gold for Solaris,
the following additional tasks must be performed to allow the ActivCard product to
operate correctly:
1. Remove /etc/rc3.d/S99pcscd
2. Rename /usr/local/acgold/lib/libpcsclite.so to
/usr/local/acgold/lib/libpcsclite.ac
3. Symlink (ln –s) /opt/SUNWut/lib/libpcsc-srcom.so to
/usr/local/acgold/lib/libpcsclite.so
Enabling Sun Ray™ Smart Card Pass-through to Citrix
5
Configuring and Testing Citrix Smart
Card Support
This document assumes that you know how to install and create connections using
the Citrix ICA Client. For information on installing and configuring the Citrix Client
for UNIX please read the Administrators Guide available at:
/docs/UnixCAG.pdf
To Install and Configure Citrix ICA Client
1. Install the latest Citrix ICA Client for Solaris (SPARC).
Use the latest version available from http://www.citrix.com/download
2. Uncompress and extract the distribution.
3. Run setupwfc from the location to which the distribution was extracted.
4. Take all defaults (install in /usr/lib/ICAClient).
If this step is not followed, the ICAROOT variable must set for each user
5. Launch the Citrix Client.
# /usr/lib/ICAClient/wfcmgr
6
Sun Ray, Smart Cards, and Citrix • May 2004
The Citrix ICA Client for Solaris window appears.
FIGURE 1
Citrix ICA Client for Solaris Window
6. Highlight the Connection you wish to test Smart Card support for, and click the
properties button.
Enabling Sun Ray™ Smart Card Pass-through to Citrix
7
The Connection Properties Screen appears.
FIGURE 2
Connection Properties Screen
a. Select the drop down box labeled Network and select Login.
This presents the properties screen for Logon attributes.
b. For testing purposes, check the box labeled Allow Smart Card Logon.
c. Click OK.
d. Launch your connection.
8
Sun Ray, Smart Cards, and Citrix • May 2004
When the Windows Desktop or Published Application appears, you should be
prompted for a PIN-based Login
.
FIGURE 3
Windows Desktop with Prompt for PIN-based Login
Note – If you connect to a Windows Server and receive the following message:
The card supplied requires drivers that are not on the system. Please try another card.
then you do not have a supported smart card for Windows and need middleware to
support your smart card in a Windows environment; however, this message
indicates that the smart card channel is operating correctly.
You have now successfully enabled and tested the smart card channel from the Sun
Ray DTU to the Citrix Server.
Enabling Sun Ray™ Smart Card Pass-through to Citrix
9
Note – Unless your Windows environment is configured to perform PIN-based
logins (either via a Microsoft Certificate Server infrastructure or via middleware)
you should disable the Allow Smart Card Logon option for your Citrix Connection.
It is important to note that this does NOT disable the smart card channel for use
with other smart card-aware applications; it is just a very simple way to test the
channel.
Required Reading/Other Resources
Smart card support in a Citrix environment depends on more than just the
communication channel being established. Out-of-the-box Citrix smart card support
is limited to logins only. Unfortunately, smart card-based logins are not trivial and
require a fair amount of work to ensure proper operation. For more information on
configuring the Windows environment for smart card logins see the following
Microsoft article:
For information on enabling Smart Card Logon with Third Party Certification
Authorities (such as would be the case with the Common Access Card) please see
the following Microsoft Knowledge Base article:
Administrators of Citrix environments must configure Citrix to allow other
applications, such as Outlook, middleware utilities, etc., to use the smart card
channel. Use the SCCONFIG utility. For more information on using smart cards and
Citrix please see the Citrix Advanced Concepts Guide.
9534/Feature_Release_3_Advanced_Concepts.pdf
10
Sun Ray, Smart Cards, and Citrix • May 2004
|