Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Authentication Services for Smart Cards Administration Guide

One Identity Privileged Access Suite for Unix Introducing Authentication Services for Smart Cards Installing Authentication Services for Smart Cards Configuring Authentication Services for Smart Cards
Configuring the vendor’s PKCS#11 library Configuring the card slot for your PKCS#11 library Configuring PAM applications for smart card login Configuring certificates and CRLs
Testing Authentication Services for Smart Cards Troubleshooting

Logging in to Active Directory with your card

Authentication Services for Smart Cards requires that you

  • enable smart card log on support for Active Directory
  • initialize your card using vendor supplied software
  • use your card to enroll for a smart card certificate with your Certificate Authority

For more information on setting up and deploying smart cards with Active Directory see:

The Smart Card Deployment Cookbook.

Ensure that you can use this card to log on to a Windows workstation before attempting to use it to log in with Authentication Services for Smart Cards.

Installing Authentication Services for Smart Cards software

Authentication Services for Smart Cards is bundled as a separate installation package on the Authentication Services Installation media.

To install Authentication Services for Smart Cards on a supported platform, run the Authentication Services installation script, as follows.

# ./install.sh vasclnt vassc

Note: If Authentication Services is already installed, you can omit the "vasclnt" argument.

Configuring Authentication Services for Smart Cards

You must configure Authentication Services for Smart Cards to work with your vendor's PKCS#11 library drivers.

Configuring the vendor’s PKCS#11 library

Authentication Services for Smart Cards interfaces with the smart card and the smart card reader using the vendor’s PKCS#11 driver. This is a shared library implementing a standard interface supported by most card vendors for accessing the cryptographic functions of smart cards and tokens.

Note: Authentication Services for Smart Cards is derived from the RSA Security Inc. PKCS#11 Cryptographic Token Interface (Cryptoki). See RSA Laboratories for details of this standard.

Authentication Services for Smart Cards requires that you configure Authentication Services with the location of your vendor's PKCS#11 driver. If the driver is not configured you will be unable to use some smart card functions and it displays an error similar to this:

vastool smartcard info card
ERROR: no PKCS#11 library specified in vas.conf

To configure Authentication Services you need to know the location of your vendor's PKCS#11 shared library on the file system. Consult your vendor documentation for this information.

Note: You can specify the location of the PKCS#11 using either the full path to the PKCS#11 shared library or a path relative to the appropriate pkcs11 library subdirectory under /opt/quest for your architecture. For example, /opt/quest/lib/pkcs11 on x86 Linux systems. (See Configuring the PKCS#11 library for 32-bit and 64-bit versions.)

For Example:

The Gemalto 5.1 Drivers for Red Hat Linux on x86 platforms are installed in /usr/local/lib/libxltCk.so.

Related Documents