Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Authentication Services for Smart Cards Administration Guide

One Identity Privileged Access Suite for Unix Introducing Authentication Services for Smart Cards Installing Authentication Services for Smart Cards Configuring Authentication Services for Smart Cards
Configuring the vendor’s PKCS#11 library Configuring the card slot for your PKCS#11 library Configuring PAM applications for smart card login Configuring certificates and CRLs
Testing Authentication Services for Smart Cards Troubleshooting

Testing general configuration and login using smart card

This procedure tests the Authentication Services for Smart Cards installation. It ensures that the library is installed correctly, the card has been initialized, there is a valid user certificate installed, and the card can be used to log into Active Directory.

To test the Authentication Services for Smart Cards installation

  1. Attach a supported reader.
  2. Insert the initialized card.
  3. Run the following command.
    vastool smartcard test all

    If the card is configured correctly, it displays output similar to the following:

    Config:
    -------
    Checking that a PKCS#11 library is specified ... ok
    (Specifying PKCS#11 slot is optional)
    Library:
    --------
    Testing PKCS#11 library '/usr/local/lib/libxltCk.so':
    Checking PKCS#11 library may be dynamically loaded ... ok
    Checking PKCS#11 library contains necessary symbols ... ok
    Checking PKCS#11 function list can be obtained ... ok
    Checking PKCS#11 library version is compatible ... ok
    Checking PKCS#11 library can be initialized ... ok
    Checking PKCS#11 library can be finalized ... ok
    Card:
    -----
    Getting mechanisms ... ok
    Checking for required mechanisms ... ok
    Testing that card contains a user ... ok
    User:
    -----
    Testing user j.doe@example.com
    Testing if PIN is required ... ok
    Enter PIN for j.doe@example.com: ****
    Performing login to card ... ok
    Generating signature ... ok
    Verifying signature ... ok
    Login:
    -----
    Testing user j.doe@example.com
    Testing if PIN is required ... ok
    Enter PIN for j.doe@example.com:
    Performing login to card ... ok
    Creating ID for client with UPN 'j.doe@example.com' ... ok
    Establish initial credentials using PKCS#11 ... ok

Testing the configuration

The vastool smartcard test command provides a number of tests to determine whether you have correctly setup your environment and initialized your cards. While this step is optional, One Identity strongly recommends that you test your configuration before you enable Authentication Services for Smart Cards for a specific login service.

Some of the available tests require that you insert a card.

Note: See the vastool man page for more details about the different options available for the vastool smartcard test subcommand.

Test the PKCS#11 library

To test that the PKCS#11 library is configured correctly

  1. Run the vastool smartcard test library command.

    For example, to test the currently configured library, enter:

    vastool smartcard test library

    If it is configured correctly, it returns output similar to:

    Testing PKCS#11 library '/usr/local/lib/libxltCk.so': 
    Checking PKCS#11 library may be dynamically loaded ... ok 
    Checking PKCS#11 library contains necessary symbols ... ok 
    Checking PKCS#11 function list can be obtained ... ok 
    Checking PKCS#11 library version is compatible ... ok 
    Checking PKCS#11 library can be initialized ... ok
    Checking PKCS#11 library can be finalized ... ok

To test a library other than the currently configured one

  1. Specify an argument to vastool smartcard test library.

    For example:

    # vastool smartcard test library \
    /usr/local/lib/libxltCk.so

    If the library could not be loaded, or does not export a PKCS#11 interface, then vastool smartcard test library displays an error message, similar to the following:

    # vastool smartcard test library
    /usr/local/lib/libpkcs11broken.so
    Testing PKCS#11 library '/usr/local/lib/libpkcs11broken.so':
    Checking PKCS#11 library may be dynamically loaded ... ok
    Checking PKCS#11 library contains necessary symbols ... failed
    ERROR: PKCS#11 library does not contain symbol 'C_GetFunctionList'

Test the smart card is initialized correctly

To test that a smart card has been correctly initialized

  1. Insert the smart card into the reader.
  2. Run vastool smartcard test card. For example:
    # vastool smartcard test card
    Getting mechanisms ... ok
    Checking for required mechanisms ... ok
    Testing that card contains a user ... ok

This test displays a warning if the card is not recognized, or has not been correctly initialized.

Related Documents