Logging in to Active Directory with your card
Authentication Services for Smart Cards requires that you
- enable smart card log on support for Active Directory
- initialize your card using vendor supplied software
- use your card to enroll for a smart card certificate with your Certificate Authority
For more information on setting up and deploying smart cards with Active Directory see:
The Smart Card Deployment Cookbook.
Ensure that you can use this card to log on to a Windows workstation before attempting to use it to log in with Authentication Services for Smart Cards.
Installing Authentication Services for Smart Cards software
Authentication Services for Smart Cards is bundled as a separate installation package on the Authentication Services Installation media.
To install Authentication Services for Smart Cards on a supported platform, run the Authentication Services installation script, as follows.
# ./install.sh vasclnt vassc
|
|
Note: If Authentication Services is already installed, you can omit the "vasclnt" argument. |
Configuring Authentication Services for Smart Cards
Configuring the vendor’s PKCS#11 library
Testing the PKCS#11 library for Authentication Services for Smart Cards compatibility (optional)
Configuring the vendor's PKCS#11 library using VASTOOL
Configuring the vendor's PKCS#11 library by editing the configuration file
Configuring the PKCS#11 library for 32-bit and 64-bit versions
Configuring the card slot for your PKCS#11 library
Configuring the card slot using VASTOOL
Configuring the vendor's PKCS#11 slot by editing the configuration file
Configuring PAM applications for smart card login
Security issues when configuring smart card login
Usability issues with PAM applications
Enabling smart card login for selected services
Configuring applications for smart card and password login
Configuring applications for smart card login
Configuring certificates and CRLs
How Authentication Services for Smart Cards uses certificates and CRLs
Bootstrapping trusted certificates
You must configure Authentication Services for Smart Cards to work with your vendor's PKCS#11 library drivers.
Configuring the vendor’s PKCS#11 library
Authentication Services for Smart Cards interfaces with the smart card and the smart card reader using the vendor’s PKCS#11 driver. This is a shared library implementing a standard interface supported by most card vendors for accessing the cryptographic functions of smart cards and tokens.
|
|
Note: Authentication Services for Smart Cards is derived from the RSA Security Inc. PKCS#11 Cryptographic Token Interface (Cryptoki). See RSA Laboratories for details of this standard. |
Authentication Services for Smart Cards requires that you configure Authentication Services with the location of your vendor's PKCS#11 driver. If the driver is not configured you will be unable to use some smart card functions and it displays an error similar to this:
vastool smartcard info card ERROR: no PKCS#11 library specified in vas.conf
To configure Authentication Services you need to know the location of your vendor's PKCS#11 shared library on the file system. Consult your vendor documentation for this information.
|
|
Note: You can specify the location of the PKCS#11 using either the full path to the PKCS#11 shared library or a path relative to the appropriate pkcs11 library subdirectory under /opt/quest for your architecture. For example, /opt/quest/lib/pkcs11 on x86 Linux systems. (See Configuring the PKCS#11 library for 32-bit and 64-bit versions.) |
For Example:
The Gemalto 5.1 Drivers for Red Hat Linux on x86 platforms are installed in /usr/local/lib/libxltCk.so.