Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Authentication Services for Smart Cards Administration Guide

One Identity Privileged Access Suite for Unix Introducing Authentication Services for Smart Cards Installing Authentication Services for Smart Cards Configuring Authentication Services for Smart Cards
Configuring the vendor’s PKCS#11 library Configuring the card slot for your PKCS#11 library Configuring PAM applications for smart card login Configuring certificates and CRLs
Testing Authentication Services for Smart Cards Troubleshooting

Testing the PKCS#11 library for Authentication Services for Smart Cards compatibility (optional)

The vastool utility provides an option to test whether a PKCS#11 library is suitable for use with Authentication Services for Smart Cards.

To test the PKCS #11 library

  1. Run the following command:
    vastool smartcard -l <library> test library

    where library is the path to the PKCS#11 library you want to test.

    For example, to test the Gemalto PKCS#11 drivers on a Red Hat x86 platform, run the following command:

    vastool smartcard -l \
    /usr/local/lib/libxltCk.so test library

    This displays the following output if the driver is correctly installed:

    Testing PKCS#11 library '/usr/local/lib/libxltCk.so':
    Checking PKCS#11 library may be dynamically loaded ... ok
    Checking PKCS#11 library contains necessary symbols ... ok
    Checking PKCS#11 function list can be obtained ... ok
    Checking PKCS#11 library version is compatible ... ok
    Checking PKCS#11 library can be initialized ... ok
    Checking PKCS#11 library can be finalized ... ok

Configuring the vendor's PKCS#11 library using VASTOOL

To configure the location of the PKCS#11 library using vastool

  1. Log in and open a root shell.
  2. Run the following command.
    vastool smartcard configure pkcs11 lib <library>

    where library is the path to the PKCS#11 library.

    For example:

    • to configure the CoolKey PKCS#11 library, run the following command:
      vastool smartcard configure pkcs11 lib /usr/lib/pkcs11/libcoolkeypk11.so
    • to configure the Gemalto 64-bit PKCS#11 library, run the following command:
      vastool smartcard configure pkcs11 lib /usr/local/lib64/libxltCk.so
    • to configure the ActivClient PKCS#11 library, run the following command:
      vastool smartcard configure pkcs11 lib /usr/local/ActivIdentity/ActivClient/lib/libacpkcs211.so

Note: You can configure the PKCS#11 Library using this procedure or by editing the vas.conf file.

Configuring the vendor's PKCS#11 library by editing the configuration file

You can manually configure the location of the vendor's PKCS#11 library by editing the setting in the /etc/opt/quest/vas.conf file.

To configure the PKCS#11 library by editing the vas.conf file

  1. Log in and open a root shell.
  2. Open the file /etc/opt/quest/vas.conf in the editor of your choice.
  3. Add the section:
    [pkcs11]
    pkcs11-lib = <library>

    where library is the path to the vendor's PKCS#11 library.

Configuring the PKCS#11 library for 32-bit and 64-bit versions

When you install Authentication Services for Smart Cards on a 64-bit platform, you install both 64- and 32-bit versions of the libraries and Authentication Services PAM modules. If you want to use both architectures (for example to allow smart card login using a 32-bit application), you need both 32-bit and 64-bit PKCS#11 libraries.

To install both these libraries, follow the appropriate steps for your platform.

Related Documents