Authentication Services 4.1.7 - Authentication Services for Smart Cards Administration Guide

One Identity Privileged Access Suite for Unix Introducing Authentication Services for Smart Cards Installing Authentication Services for Smart Cards Configuring Authentication Services for Smart Cards
Configuring the vendor’s PKCS#11 library Configuring the card slot for your PKCS#11 library Configuring PAM applications for smart card login Configuring certificates and CRLs
Testing Authentication Services for Smart Cards Troubleshooting

One Identity Privileged Access Suite for Unix

Unix Security Simplified

Privileged Access Suite for Unix solves the inherent security and administration issues of Unix-based systems (including Linux and Mac OS X) while making satisfying compliance requirements a breeze. It unifies and consolidates identities, assigns individual accountability and enables centralized reporting for user and administrator access to Unix. The Privileged Access Suite for Unix is a one-stop shop for Unix security that combines an Active Directory bridge and root delegation solutions under a unified console that grants organizations centralized visibility and streamlined administration of identities and access rights across their entire Unix environment.

Active Directory Bridge

Achieve unified access control, authentication, authorization and identity administration for Unix, Linux, and Mac OS X systems by extending them into Active Directory (AD) and taking advantage of AD’s inherent benefits. Patented technology allows non-Windows resources to become part of the AD trusted realm, and extends AD’s security, compliance and Kerberos-based authentication capabilities to Unix, Linux, and Mac OS X. (See www.oneidentity.com/products/authentication-services/ for more information about the Active Directory Bridge product.)

Root Delegation

The Privileged Access Suite for Unix offers two different approaches to delegating the Unix root account. The suite either enhances or replaces sudo, depending on your needs.

  • By choosing to enhance sudo, you will keep everything you know and love about sudo while enhancing it with features like a central sudo policy server, centralized keystroke logs, a sudo event log, and compliance reports for who can do what with Sudo.

    (See www.oneidentity.com/products/privilege-manager-for-sudo/ for more information about enhancing sudo.)

  • By choosing to replace sudo, you will still be able to delegate the Unix root privilege based on centralized policy reporting on access rights, but with a more granular permission and the ability to log keystrokes on all activities from the time a user logs in, not just the commands that are prefixed with "sudo". In addition, this option implements several additional security features like restricted shells, remote host command execution, and hardened binaries that remove the ability to escape out of commands and gain undetected elevated access.

    (See www.oneidentity.com/products/privilege-manager-for-unix/ for more information about replacing sudo.)

Privileged Access Suite for Unix

Privileged Access Suite for Unix offers two editions - Standard edition and Advanced edition. Both editions include: Management Console for Unix, a common mangement console that provides a consolidated view and centralized point of management for local Unix users and groups; and, Authentication Services, patented technology that enables organizations to extend the security and compliance of Active Directory to Unix, Linux, and Mac OS X platforms and enterprise applications. In addition

  • The Standard edition licenses you for Privilege Manager for Sudo.
  • The Advanced edition licenses you for Privilege Manager for Unix.

One Identity recommends that you follow these steps:

  1. Install Authentication Services on one machine, so you can set up your Active Directory Forest.
  2. Install Management Console for Unix, so you can perform all the other installation steps from the mangement console.
  3. Add and profile host(s) using the mangement console.
  4. Configure the console to use Active Directory.
  5. Deploy client software to remote hosts.

    Depending on which Privileged Access Suite for Unix edition you have purchased, deploy either:

    • Privilege Manager for Unix software (that is, Privilege Manager Agent packages)

      -OR-

    • Privilege Manager for Sudo software (that is, Sudo Plugin packages)

About this guide

The Authentication Services for Smart Cards Administration Guide is intended for Windows, Unix, Linux, and Mac OS X system administrators, network administrators, consultants, analysts, and any other IT professionals who will be installing and configuring Authentication Services for Smart Cards; on the supported platforms. It describes the following:

  • Basic Concepts
    • Supported platforms
    • Supported cards and readers
  • Installation Prerequisites
  • Installing Authentication Services for Smart Cards software
  • Configuring the vendor's PKCS#11 driver
  • Testing your configuration
  • Enabling smart card login for selected services
  • Troubleshooting Authentication Services for Smart Cards

Note: The term "Unix" is used informally throughout the Authentication Services documentation to denote any operating system that closely resembles the trademarked system, UNIX.

Introducing Authentication Services for Smart Cards

The Authentication Services for Smart Cards feature makes it possible for a user to insert a smart card in a Authentication Services-enabled workstation and authenticate to Active Directory. Authentication Services for Smart Cards functionality extends strong, two-factor authentication to both Windows and Unix using a single user repository.

Authentication Services for Smart Cards features and benefits

Deploying Authentication Services for Smart Cards provides the following features and benefits:

  • Strong two-factor authentication for Unix
  • Smart card log in integrated with Active Directory
  • Integration with existing Unix applications
Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents