If you have multiple readers, or your card reader supports multiple slots, your vendor's PKCS#11 library may require you to specify the card slot with which you will be using to log in. If you do not specify a slot, Safeguard Authentication Services for Smart Cards will probe for the first available slot. Typically, you will not need to configure this option. For more information on which slot number to configure, see your vendor's PKCS#11 documentation.
If the slot is not specified correctly, some smart card functions may return an error, for example:
vastool smartcard info card
ERROR: smart card is not present in slot
To configure the location of the PKCS#11 library using vastool
-
Log in and open a root shell.
-
Run the following command:
vastool smartcard configure pkcs11 slot \
<slot-id>
where <slot-id> is the card slot.
NOTE: You can remove the PKCS#11 slot from the configuration by running the vastool smartcard unconfigure pkcs11 slot command.
You can manually configure the location of the vendor's PKCS#11 card slot by editing the setting in the /etc/opt/quest/vas.conf file.
To configure the location of the PKCS#11 card slot in vas.conf
-
Log in and open a root shell.
-
In an editor of your choice, open the /etc/opt/quest/vas/vas.conf file.
-
Locate the [pkcs11] section (or add one if not present), and add the following:
pkcs11-slot = <slot-id>
where <slot-id> is the number of the slot you want to use to log in.
NOTE: Remember that specifying a slot id is optional. Safeguard Authentication Services for Smart Cards will probe for an available slot if a slot id is not specified.
To integrate Safeguard Authentication Services for Smart Cards with existing applications you, need to configure PAM. This section describes in detail how to configure the pam_vas_smartcard module for different scenarios, and gives recommendations for which options works well with some common login applications. The following topics are discussed:
-
Security issues when configuring smart card login
-
Usability issues when configuring smart card login
-
Configuring PAM for smart card only login
-
Configuring PAM for smart card and password login
-
Configuring GDM
-
Configuring KDM
-
Configuring XDM
-
Configuring Console Login
-
Configuring Dtlogin
You can find background information on PAM and configuring Safeguard Authentication Services PAM modules in the Safeguard Authentication Services Administration Guide, which can be found on the Authentication Services - Technical Documentation page on the One Identity support site.