Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Safeguard Authentication Services 6.0.1 - Authentication Services for Smart Cards Administration Guide

Privileged Access Suite for UNIX Introducing Safeguard Authentication Services for Smart Cards Installing Safeguard Authentication Services for Smart Cards Configuring Safeguard Authentication Services for Smart Cards
Configuring the vendor’s PKCS#11 library Configuring the card slot for your PKCS#11 library Configuring PAM applications for smart card login Configuring certificates and CRLs Locking the screen saver upon card removal (macOS)
Testing Safeguard Authentication Services for Smart Cards Troubleshooting

Test the smart card user

You can check if the smart card has been set up correctly with the appropriate user by using vastool.

To test that a card has been initialized with an appropriate user

  1. Run the vastool smartcard test user command, as follows:

    # vastool smartcard test user
    Testing user user@vas.example
    Testing certificate validity ... ok
    Testing if PIN is required ... ok
    Enter PIN for user@vas.example: xxxxxxxx
    Performing login to card ... ok
    Generating signature ... ok
    Verifying signature ... ok

    This tests whether a valid user is on the card, and whether you are able to log into the card and use its cryptographic functions. If your card requires a PIN, enter the password at the prompt.

    The vastool smartcard test card function generates output similar to the following:

    CKM_RSA_X_509 CKM_MD2_RSA_PKCS CKM_MD5_RSA_PKCS CKM_SHA1_RSA_PKCS
    CKM_DES_KEY_GEN CKM_DES_ECB CKM_DES_CBC CKM_DES_CBC_PAD CKM_DES2_KEY_GEN
    CKM_DES3_KEY_GEN CKM_DES3_ECB CKM_DES3_CBC CKM_DES3_CBC_PAD CKM_MD2 CKM_MD5
    CKM_SHA_1
    Checking that CKM_RSA_PKCS mechanism is supported ... ok
    Checking info for CKM_RSA_PKCS mechanism ... ok
    Checking CKM_RSA_PKCS mechanism supports signing ... ok
    Checking CKM_RSA_PKCS mechanism supports decryption ... ok
    Testing that card contains a user ... ok

Test user login

You can check whether the user login is set up correctly by using vastool.

NOTE: This command requires that you are joined to a domain.

To test whether it is possible to log in using the inserted card

  1. Run the vastool smartcard test login command.

    For example:

    # vastool smartcard test login
    Testing user user@vas.example
    Testing certificate validity ... ok
    Testing if PIN is required ... ok
    Enter PIN for user@vas.example:
    Performing login to card ... ok
    Creating ID for client with UPN 'user@vas.example' ... ok
    Establish initial credentials using PKCS#11 ... ok

    This command uses the inserted card to perform a log in to Active Directory. It displays a warning if the user is not UNIX enabled, and displays an error if the log in fails. This command is useful when troubleshooting Safeguard Authentication Services for Smart Cards log in problems.

Troubleshooting

To help you troubleshoot your Safeguard Authentication Services for Smart Cards installation, One Identity recommends the following resolutions to some of the common problems you might encounter.

Steps to diagnose problems

Safeguard Authentication Services for Smart Cards provides a number of tools and options to diagnose problems.

  1. Checking the smart card reader

  2. Checking the PKCS#11 library

  3. Checking the card

  4. Checking login

  5. Enabling debugging for smart card login with PAM

  6. Enabling debugging for the Safeguard Authentication Services daemon

  7. Enabling debugging for the PKCS#11 library

Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation