Virtual/Remote component
The virtual/remote component is available for all application programming interfaces that we export:
-
PKCS#11, CSP, KSP
-
Plugin
Same Computer
The basic virtual/remote component is local on the same computer. The function is to make sure that all applications execute cryptographic command in the same processing environment. This means that they share the same access towards the smart card and also the same PIN. This allows single sign-on without PIN caching, and also PIN PAD support without locking out other applications.
The virtual/remote component is available as soon as those are enabled in the configuration:
#define SRV_SSO_PKCS11 "pkcs11" #define SRV_SSO_CSP "csp" #define SRV_SSO_KSP "ksp" #define SRV_SSO_PLUGIN "plugin"
The communication between processes depends on platform. The default configuration uses "shared memory" to communicate on Windows, and TCP/IP over localhost on Linux/macOS.
[Service PKCS11]
Connect=mem PKCS11
[Service PKCS11]
Connect=net localhostTerminal Server
The more interesting scenarios include Terminal Server environment. Instead of connecting to the local computer (=server), a channel is opened to the client where the Terminal Server sessions is started.
Available channel options:
- Virtual Channel
-
Microsoft standard for Microsoft Terminal Server
- Virtual Driver
-
Citrix standard for Citrix Terminal Server
The virtual channel/driver implementation from Microsoft/Citrix has limitations. Thus, we open a proxy on the server-side to make sure there is only one connection back to the client.
Also the Windows Logon architecture has a limitation; separation of the logon experience to two different processes that runs in two different environments. This limitation removes the possibility to use PKCS#11/KSP for now and only CSP will work.
[Service]
ProxyConnect=wts name:{name}
ProxyListen=mem PROXY-{type}-{name}
[Service CSP]
Connect=proxy {wts:win-station-name}|{TS}||mem CSP|*For more requirements on the configuration, see Service XXX.