Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Safeguard Authentication Services 4.1.5 - Authentication Services for Smart Cards Administration Guide

Table of Contents

One Identity Privileged Access Suite for Unix

About this guide

Introducing Authentication Services for Smart Cards

Authentication Services for Smart Cards features and benefits

Strong two-factor authentication for Unix Smart Card login integrated with Active Directory Integration with existing Unix applications

Supported platforms Supported cards and readers Authentication Services for Smart Cards components

Authentication Services for Smart Cards plugin

The Authentication Services PAM module The vastool smartcard command line utility Vendor PKCS#11 drivers

Installing Authentication Services for Smart Cards

Installing vendor smart card drivers

Logging in to Active Directory with your card

Installing Authentication Services for Smart Cards software

Configuring Authentication Services for Smart Cards

Configuring the vendor’s PKCS#11 library

Testing the PKCS#11 library for Authentication Services for Smart Cards compatibility (optional) Configuring the vendor's PKCS#11 library using VASTOOL Configuring the vendor's PKCS#11 library by editing the configuration file Configuring the PKCS#11 library for 32-bit and 64-bit versions

Configure 32-bit and 64-bit libraries on RedHat Linux

Configuring the card slot for your PKCS#11 library

Configuring the card slot using VASTOOL Configuring the vendor's PKCS#11 slot by editing the configuration file

Configuring PAM applications for smart card login

Security issues when configuring smart card login Usability issues with PAM applications Enabling smart card login for selected services

Enable smart card login Disable smart card login

Configuring applications for smart card and password login

Example: Application configured for Redhat Enterprise Linux 4.0 login

Configuring applications for smart card login pam_vas_smartcard options Configuring GDM

Configure GDM for smart card Disable remote login

Edit the GDM configuration file manually Edit the GDM configuration file With the graphical application

Use GDM with a smart card

Configuring KDM

Configure KDM for smart card Disable remote login Use KDM with a smart card

Configuring XDM

Configure XDM for smart card Disable remote login

Configuring console login

Configure console login for smart card Disable remote login Use console login with a smart card

Configuring certificates and CRLs

Public Key Infrastructure Certificates and CRLs

How Authentication Services for Smart Cards uses certificates and CRLs Bootstrapping trusted certificates Automatic CRL retrieval Options for controlling certificate and CRL processing Managing certificates and CRLs

Update certificates manually Force an update of certificates Disable bootstrap and manage certificates and CRLs manually

Testing Authentication Services for Smart Cards

Testing general configuration and login using smart card Testing the configuration

Test the PKCS#11 library Test the smart card is initialized correctly Test the smart card user Test user login

Troubleshooting

Steps to diagnose problems

Check the smart card reader Check the PKCS#11 library Check the card Check login Enable debug for smart card login with PAM Enable debug for the Authentication Services daemon

Troubleshooting vastool errors

vastool ERROR: no PKCS#11 library specified in vas.conf vastool ERROR: Could not get symbol 'C_GetFunctionList' vastool ERROR: invalid ELF header vastool ERROR: cannot open shared object file vastool ERROR: smart card is not present in slot vastool WARNING: "Smart card user X is not unix enabled" Issue

Troubleshooting PAM or "vastool smartcard test login" errors

Login fails when the network connectivity is down Login fails when the system's internal clock is not synchronized Login fails when the user account is disabled Login fails when the user's certificate is not authorized Troubleshooting "KDC has no support for padata type" issue Troubleshooting "Cannot contact any KDC for requested realm" issue

Troubleshooting log errors

Log shows "clock skew problems" Log shows "server policy does not allow them on" or "account is expired" Log shows "Failed authentication attempt: cannot verify certificate"

Troubleshooting "Client not trusted" issue Troubleshooting certificate lookups

Update certificates manually

Configuring Authentication Services for Smart Cards > Configuring certificates and CRLs > Managing certificates and CRLs > Update certificates manually

By default certificates and CRLs are updated if the trusted-certs-update-interval has expired, and then only during the login process. You can request an update of the trusted certificates directory manually by using the vastool smartcard trusted-certs command, as follows:

vastool smartcard trusted-certs update

Note: You can schedule an update during off hours using a cron job.

Force an update of certificates

Configuring Authentication Services for Smart Cards > Configuring certificates and CRLs > Managing certificates and CRLs > Force an update of certificates

You can manually update the trusted certificates outside the configured period. For example, to retrieve a recently added trusted certificate, use the -f option with the vastool smartcard trusted-certs command, as follows:

vastool smartcard trusted-certs update -f

This command removes the existing certificates from the NtAuth subdirectory and retrieves all the current trusted certificates from Active Directory.

Disable bootstrap and manage certificates and CRLs manually

Configuring Authentication Services for Smart Cards > Configuring certificates and CRLs > Managing certificates and CRLs > Disable bootstrap and manage certificates and CRLs manually

You can disable certificate bootstrapping and CRL downloading and distribute these items to Authentication Services clients by other means, such as Group Policy.

To disable bootstrap and manage certificates and CRLs manually

Set the auto-crl-download, auto-crl-removal and bootstrap-trusted-certs options to false in the [pkinit] section of the /etc/opt/quest/vas/vas.conf files, as follows:
```
[pkinit]
auto-crl-download = false
auto-crl-removal = false
bootstrap-trusted-certs = false
```
Place the trusted certificates in the /var/opt/quest/vas/certs directory.
Place CRLs in the /var/opt/quest/vas/crls directory.

Testing Authentication Services for Smart Cards

Testing Authentication Services for Smart Cards

Testing general configuration and login using smart card

Testing the configuration

Test the PKCS#11 library

Test the smart card is initialized correctly

Test the smart card user

Test user login

After you install and configure Authentication Services for Smart Cards to work with your vendor's PKCS#11 library drivers, you will want to validate your installation.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2023 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy