This procedure tests the Safeguard Authentication Services for Smart Cards installation. It ensures that the library is installed correctly, the card has been initialized, there is a valid user certificate installed, and the card can be used to log into Active Directory.
To test the Safeguard Authentication Services for Smart Cards installation
-
Attach a supported reader.
-
Insert the initialized card.
-
Run the following command.
vastool smartcard test all
If the card is configured correctly, it displays output similar to the following:
Config:
-------
Checking that a PKCS#11 library is specified ... ok
(Specifying PKCS#11 slot is optional)
Library:
--------
Testing PKCS#11 library '/usr/local/lib/libxltCk.so':
Checking PKCS#11 library may be dynamically loaded ... ok
Checking PKCS#11 library contains necessary symbols ... ok
Checking PKCS#11 function list can be obtained ... ok
Checking PKCS#11 library version is compatible ... ok
Checking PKCS#11 library can be initialized ... ok
Checking PKCS#11 library can be finalized ... ok
Card:
-----
Getting mechanisms ... ok
Checking for required mechanisms ... ok
Testing that card contains a user ... ok
User:
-----
Testing user j.doe@example.com
Testing if PIN is required ... ok
Enter PIN for j.doe@example.com: ****
Performing login to card ... ok
Generating signature ... ok
Verifying signature ... ok
Login:
-----
Testing user j.doe@example.com
Testing if PIN is required ... ok
Enter PIN for j.doe@example.com:
Performing login to card ... ok
Creating ID for client with UPN 'j.doe@example.com' ... ok
Establish initial credentials using PKCS#11 ... ok
The vastool smartcard test command provides a number of tests to determine whether you have correctly set up your environment and initialized your cards.
NOTE: While this step is optional, One Identity strongly recommends that you test your configuration before you enable Safeguard Authentication Services for Smart Cards for a specific login service.
Some of the available tests require that you insert a card.
NOTE: For more details about the different options available for the vastool smartcard test subcommand, see the vastool man page.
You can check if the PKCS#11 library or any other library is configured correctly with vastool.
To test that the PKCS#11 library is configured correctly
-
Run the vastool smartcard test library command.
For example, to test the currently configured library, enter:
vastool smartcard test library
If it is configured correctly, it returns output similar to:
Testing PKCS#11 library '/usr/local/lib/libxltCk.so':
Checking PKCS#11 library may be dynamically loaded ... ok
Checking PKCS#11 library contains necessary symbols ... ok
Checking PKCS#11 function list can be obtained ... ok
Checking PKCS#11 library version is compatible ... ok
Checking PKCS#11 library can be initialized ... ok
Checking PKCS#11 library can be finalized ... ok
To test a library other than the currently configured one
-
Specify an argument to vastool smartcard test library.
For example:
# vastool smartcard test library \
/usr/local/lib/libxltCk.so
If the library could not be loaded, or does not export a PKCS#11 interface, then vastool smartcard test library displays an error message, similar to the following:
# vastool smartcard test library
/usr/local/lib/libpkcs11broken.so
Testing PKCS#11 library '/usr/local/lib/libpkcs11broken.so':
Checking PKCS#11 library may be dynamically loaded ... ok
Checking PKCS#11 library contains necessary symbols ... failed
ERROR: PKCS#11 library does not contain symbol 'C_GetFunctionList'
You can check if the smart card is set up correctly with vastool.
To test that a smart card has been correctly initialized
-
Insert the smart card into the reader.
-
Run vastool smartcard test card. For example:
# vastool smartcard test card
Getting mechanisms ... ok
Checking for required mechanisms ... ok
Testing that card contains a user ... ok
This test displays a warning if the card is not recognized, or has not been correctly initialized.