Virtual/Remote component

The virtual/remote component is available for all application programming interfaces that we export:

  • PKCS#11, CSP, KSP

  • Plugin

Same Computer

The basic virtual/remote component is local on the same computer. The function is to make sure that all applications execute cryptographic command in the same processing environment. This means that they share the same access towards the smart card and also the same PIN. This allows single sign-on without PIN caching, and also PIN PAD support without locking out other applications.

The virtual/remote component is available as soon as those are enabled in the configuration:

#define SRV_SSO_PKCS11 "pkcs11"
#define SRV_SSO_CSP    "csp"
#define SRV_SSO_KSP    "ksp"
#define SRV_SSO_PLUGIN "plugin"

The communication between processes depends on platform. The default configuration uses "shared memory" to communicate on Windows, and TCP/IP over localhost on Linux/macOS.

[Service PKCS11]
Connect=mem PKCS11

[Service PKCS11]
Connect=net localhost

Terminal Server

The more interesting scenarios include Terminal Server environment. Instead of connecting to the local computer (=server), a channel is opened to the client where the Terminal Server sessions is started.

Available channel options:

Virtual Channel

Microsoft standard for Microsoft Terminal Server

Virtual Driver

Citrix standard for Citrix Terminal Server

Example 1. Open server-side proxy because of Microsoft and Citrix limitations.

The virtual channel/driver implementation from Microsoft/Citrix has limitations. Thus, we open a proxy on the server-side to make sure there is only one connection back to the client.

Also the Windows Logon architecture has a limitation; separation of the logon experience to two different processes that runs in two different environments. This limitation removes the possibility to use PKCS#11/KSP for now and only CSP will work.

ProxyConnect=wts name:{name}
ProxyListen=mem PROXY-{type}-{name}

[Service CSP]
Connect=proxy {wts:win-station-name}|{TS}||mem CSP|*

For more requirements on the configuration, see Service XXX.