Tag: SunRay

Looks like convergence projects are in the limelight… lately I noticed a lot of interests on enabling the use of common credentials for securely accessing physical and logical resources.  Although we find most convergence projects are targeted at the enterprise level but there are serious minds working on using smartcard based PKI credentials for supporting citizen-scale projects (I regret that I cannot discuss the specifics) !  Ofcourse the use of on-card PKI credentials and its on-demand verification with the PKI service provider is in practice for a while now at security sensitive organizations. The DoD CAC, PIV and most smartcard based National ID/eIDs contain PKI certificate credentials and few of them includes Biometric samples of the card holder as well. Using those on-card identity credentials for accessing physical and logical resources becomes critical and also makes sense to  fulfil the ultimate purpose of issuing smartcard based credentials… it cannot be overstated.

 

Couple of weeks ago, I had a chance to present and demonstrate PIV card credentials based logical access control using Sun IDM, OpenSSO Enterprise, WinXP running on Sun Ray environment. The demo was hosted  one of the Big5 SI.  If you curious to see my preso detailing the pieces of the puzzle…here you go:

Onlinerel Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google Yahoo Buzz StumbleUpon

Lately I’ve been franctically busy with couple of my ISVs and an SI helping them out on a Citizen-scale National Healthcare Identity Infrastructure solution pilot for one of the populous countries in the Atlantic region – Sorry I cannot disclose the country’s name to abide their privacy laws and to protect my job :-) . The solution aims to deliver an Unified Desktop/Voice Infrastructure via Sun Ray environment and fortified by Biometrics and Smartcard PKI based authentication to access the exposed services.  Using Smartcard/PKI and Biometrics for Sun Rays has been deployed in production (at few customers) and in practice for a while now… but in my current project the interesting thing is the complete Sun Ray solution will be hosted as a SaaS environment (~Private Cloud) and other complexities are related to legal/privacy issues with performing citizen’s biometric enrollment and storing the biometric information with a private organization  (Especially, when the Country’s privacy laws forbids storing citizen’s biometric samples). Keeping those nail biting legal issues aside, the Govt folks are still very enthusiastic and excited about adopting to Biometric authentication for Sun Ray based desktops to access their SaaS hosted Web-based healthcare applications.

 

Biometric Authentication for Sun Rays

Biometric Authentication on a Sun Ray environment

 

Looks cool, Is’nt it.  If you are curious to know the secret sauce of the Sun Ray biometric authentication solution, here is the bill of materials, to put together in place:

  1. Sun Ray Session Server 4.x or above
  2. Solaris 10 X64 or SPARC
  3. Sun OpenSSO (Biometric SSO for Web applications)
  4. Sun Identity Manager (Provisioning Biometric Samples during enrollment)
  5. Sun Directory Server
  6. Sun Secure Global Desktop (Support accessing Windows, Mac, Linux, Solaris Desktops)
  7. Oracle 11g or MySQL 5.x database
  8. BiObex Authentication Middleware (Advanced Biometric Controls)
  9. Hamster Plus – USB Biometric Scanner (SecuGen) – For supporting Desktop/Web authentication
  10. CrossMatch Verifier E – Biometric Scanner for supporting Biometric enrollment

Shortly, I will update this blog entry with a detailed architecture and deployment cheatsheet… as soon as I wrap up my current project deliverables.  If you are a Sun Ray enthusiast,  I know you will be having some burning questions ! Feel free to send them, I will try to answer them quick…. otherwise please stay tuned for my unofficial deployment guide.

 

This stateless infrastructure could be your next generation client for securely accessing your virtual desktops hosted on the cloud :-)

Onlinerel Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google Yahoo Buzz StumbleUpon

A picture is worth a thousand words. This picture is intended for a friend of mine (a doubting Thomas), who did’nt believe my latest work on enabling a multi-factor authentication based “Web SSO” that uses on-card credentials (PIN + PKI + Biometrics) using PIV card. This solution is currently tested to run Sun OpenSSO Enterprise 8 (running on Glassfish v2), ActivClient (from ActivIdentity) and BioSP (from Aware) and PIV Smartcards on a Sun Ray environment. It works. If you are curious to know this special sauce, please bear with me. I will post the documentation including solution ingredients and other configuration details …very soon.

Onlinerel Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google Yahoo Buzz StumbleUpon

Last week, I was test driving a PIV Smartcard based PKI as a keystore (via Java PKCS#11)  to support using the PKI/certificate credentials for performing encryption/decryption and digital signature operations  (PKI based logins to Web applications, Encryption/decryption of documents, Digitally signing email). There is no secret receipe but some of you may find it a bit difficult – if you are doing it for first time.  So, here is my quick cheat sheet for your better understanding :

Since J2SE 5.0,  JCE introduced support for the PKCS#11 standard that allows the following:

  • Using hardware cryptographic accelerators for enhancing performance of cryptographic operations.
  • Using smart cards as key stores for key and trust management.

To use these services, it is necessary to install the PKCS#11 implementation provided by the hardware accelerator and smart card vendors. As part of the J2SE 5.0 bundle (and up), Sun facilitates a SunPKCS#11 provider.

To use a smart card as a keystore or trust store, set the javax.net.ssl.keyStoreType and javax.net.ssl.trustStoreType of the Java runtime system properties  to “pkcs11“, and set the javax.net.ssl.keyStore and javax.net.ssl.trustStore system properties to NONE. To specify the use of a vendor smart-card provider, use the javax.net.ssl.keyStoreProvider and javax.net.ssl.trustStoreProvider
Java runtime system properties to identify them. (For example: “SunPKCS11-smart card”). By setting these properties, you can configure an application to use a smart-card keystore with no changes to the application that previously accessed a file-based keystore.

Configuring a Smart card as a Java Keystore (using OpenSC Framework)

OpenSCThe following example shows how to configure OpenSC supported smart card as a Java keystore and list the certificates using the keytool utility. The OpenSC framework can be downloaded from http://www.opensc.org.

  1. Add the OpenSC PKCS#11 module as the keystore provider in java.security file located at $JAVA_HOME/jre/lib/security/java.security.

    security.provider.1=sun.security.pkcs11.SunPKCS11   /opt/openSC/openscpkcs11-solaris.cfg

  2. Create the OpenSC PKCS#11 configuration file. For example, the openscpkcs11-solaris.cfg looks like as follows:
    name = OpenSC-PKCS11
    description = SunPKCS11 w/ OpenSC Smart card Framework
    library = /usr/lib/pkcs11/opensc-pkcs11.so
  3. With the above settings, it is possible to use the smart card as a keystore and retrieve information about the certificates from your Smartcard. For example,  you may use the keytool utility to list certificate entries from a smart card:

$ keytool -keystore NONE -storetype PKCS11 -providerName SunPKCS11-OpenSC -list -v
Enter keystore password: <SMARTCARD_PIN>
Keystore type: PKCS11
Keystore provider: SunPKCS11-OpenSC
Your keystore contains 4 entries

Alias name: Signature
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: SERIALNUMBER=79797900036, GIVENNAME=Nagappan Expire1779,
SURNAME=R, CN=Nagappan (Signature), C=US
Issuer: CN=Nagappan OpenSSL CA, C=US
Serial number: 1000000000102fdf39941
Valid from: Sat Nov 01 15:29:22 EST 2008 until: Wed Jun 01 15:29:22 EST 2009
Certificate fingerprints:
MD5: 12:20:AC:2F:F2:F5:5E:91:0A:53:7A:4B:8A:F7:39:4F
SHA1:
77:76:48:DA:EC:5E:9C:26:A2:63:A9:EC:A0:14:42:BF:90:53:0F:BC
Alias name: Root
Entry type: trustedCertEntry
Owner: CN=Nagappan OpenSSL Root CA, C=US
Issuer: CN=Nagappan OpenSSL Root CA, C=US

Serial number: 11111111111111111111111111111112
Valid from: Sat Nov 01 15:29:22 EST 2008 until: Wed Jun 01 15:29:22 EST 2009
Certificate fingerprints:
MD5: 5A:0F:FD:DB:4F:FC:37:D4:CD:95:17:D5:04:01:6E:73
SHA1:
6A:5F:FD:25:7E:85:DC:60:81:82:8D:D1:69:AA:30:4E:7E:37:DD:3B
Alias name: Authentication
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: SERIALNUMBER=79797900036, GIVENNAME=Nagappan Expire1779,
SURNAME=R, CN=NAGAPPAN, C=US
Issuer: CN=Nagappan OpenSSL CA, C=US
Serial number: 1000000000102fd10d2d9
Valid from: Sat Nov 01 15:29:22 EST 2008 until: Wed Jun 01 15:29:22 EST 2009
Certificate fingerprints:
MD5: 29:7E:8A:5C:91:34:9B:05:52:21:4E:49:5B:45:F8:C4
SHA1:
15:B7:EA:27:E1:0E:9D:94:4E:7B:3B:79:00:48:A2:31:7E:9D:72:1A

—————–

Using Sun Ray DTU as your Smart card Reader

In our case, the customer chose to use Sun Ray as the Smartcard reader where the inserted card is used for performing session mobility and PKI/Certificate based cryptographic operations. To enable access to Smartcard based PKI credentials on Sun Rays, make sure you install the Sun Ray PC/SC Lite to support accessing smart cards. You may download the PC/SC Lite for Sun Ray Server (SRSS 4.x) from:

http://www.sun.com/download/products.xml?id=46af59b2

Enjoy

Onlinerel Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google Yahoo Buzz StumbleUpon

Sun Rays has been widely popular in Government applications for a while now.  With the introduction of HSPD-12/PIV cards,  I had multiple requests from my SI friends asking me to verify whether PIV cards work on SunRays for hotdesking and enabling PKI based authentication.  As on today, Sun Ray Session Server 4.0 does’nt officially support PIV cards …particularly I meant PIV cards from Obethur and GemAlto.  Here is the SunRay-PIV-OberthurCards-CheatSheet and also download the Oberthur Card Profile for SunRays – I prepared this cheatsheet based on my first successful attempt using Oberthur PIV on SunRays to verify that  IT WORKS for hotdesking/session mobility and desktop authentication using OpenSC PAM.

For those curious to know about OpenSC support for PAM authentication on Sun Rays – make a note OpenSC.org does support Solaris 10 and Sun Rays that includes a PAM module. Also, here is some useful information about PIV card support in OpenSC.

BTW, Sun Rays already provides support for DoD CAC cards.

Enjoy.

Update: The download URL changed to Sun ThinkThin blog.

Onlinerel Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google Yahoo Buzz StumbleUpon

Important Disclaimer:The information presented in this weblog is provided “AS IS” with no warranties, and confers no rights. It solely represents our opinions. This weblog does not represent the thoughts, intentions, plans or strategies of our employers.
.