Tuesday Sep 15, 2009

UZI-card VDI integration

Triggered by one of our integration partners I recently worked on integrating the Dutch UZI-card ('UZI-pas') with Sun VDI and Sun Ray. The aim of the UZI-card is to uniquely identify and authenticate healthcare providers. The UZI-card is provided by the Unique Healthcare Practitioner Identification Register which is better known by its Dutch acronym: UZI-register.

What is the UZI-register?

"The UZI-register is the organisation that provides unique identification for healthcare practitioners in the Netherlands. The unique form of identification is provided by the UZI-register to healthcare practitioners in the form of an UZI-card, a kind of electronic passport. The UZI-register processes the application, production and issue of the UZI-card. The UZI-register is part of the Central Agency for Information on Healthcare Professions, an agency of the Dutch Ministry of Health, Welfare and Sports."

What is the UZI-card?

"The UZI-card constitutes a key condition for secure electronic communication and consultation of confidential information by healthcare practitioners. Just like the regular passport, it is an important individual ‘value document’. The UZI-card looks like a bank pass. It contains the electronic identity of a healthcare practitioner, which is protected against misuse. That is why the UZI-card, just like a bank pass, is provided with a unique pin code."

More information about the UZI-register and the UZI-card can be found at the website of the UZI-register.

The integration steps - an overview

To start with, inserting the card into a Sun Ray thin client immediately showed that the smartcard was recognized as a known smartcard type. This was a good start since this meant I didn't have to configure a new smartcard config file. To be specific, the card issued for the user 'Kees Test44' (see the picture of the UZI-card above) was recognized as token 'OpenPlatform.40708533474701566491'. For demo purposes I configured this card in the Sun Ray environment to start a new Terminal Server session to the PDC but this could easily be changed to start an RDP session to the user's desktop as managed by Sun VDI.

Next thing I needed to do is install the PC/SC-lite software on the VDI or Sun Ray server so that the Sun Ray's smartcard reader becomes a PC/SC compliant reader. Software and instructions on installing the PC/SC-lite software can be found here.

Furthermore, in order to be able to do smartcard logon, I had to install an Active Directory (AD) Primary Domain Controller (PDC). Several need to be taken care of on this AD PDC. All of these steps are outlined in the document 'Handleiding configuratie smartcard logon' that can be found on the website of UZI-register. First of all, I had to add the user 'Kees Test44' to the list of AD users and configure this user for smartcard logon. After this, I had to map this user to the UPN on the smartcard by configuring an alternative UPN suffix (equal to the 'Abonneenummer') and defining his user logon name to be the UZI-number ('UZI-nummer'). As an example, for our demo UZI-card this results in a UPN of 900001168@00000509. Next to installing (generating) a Domain Controller certificate that needs to be present on the DC to be able to do smartcard login I had to import and trust the CA certificates of all of the issuing CA's in the trust hierarchy all the way up to the root CA. More on this hierarchy (for the test UZI environment) can be found here. Finally, I had to install the smartcard middleware software (in this case that of AET Europe) on the desktop for the user 'Kees Test44'. Since I was using a TS connection to the PDC I had to install it on the PDC itself. In the VDI desktop case we will have to install it on each desktop (template).

After all these steps, a smartcard logon was possible as can be seen in the video below.

Demonstration of UZI-card smartcard logon

The following video shows a demonstration of smartcard logon using the UZI-card for user 'Kees Test44'. In this video Kees logs on to his desktop and visits one of the specific healthcare web applications using one of the certificates on his smartcard.

Have fun, Rene!

PS. to be complete, more than one certificate could be found on the UZI-card. Next to the certificate used for authentication in the demonstration above, the card also contained certificates for confidentiality and digital signing purposes.


This blog covers exciting things I encounter about Oracle's software and related; that is Identity & Access Management, SOA, Security, Desktop, etc. The views expressed on this blog are my own and do not necessarily reflect the views of Oracle.


« February 2017