Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Authentication Services for Smart Cards Administration Guide

One Identity Privileged Access Suite for Unix Introducing Authentication Services for Smart Cards Installing Authentication Services for Smart Cards Configuring Authentication Services for Smart Cards
Configuring the vendor’s PKCS#11 library Configuring the card slot for your PKCS#11 library Configuring PAM applications for smart card login Configuring certificates and CRLs
Testing Authentication Services for Smart Cards Troubleshooting

Configure 32-bit and 64-bit libraries on RedHat Linux

To configure 32-bit and 64-bit libraries on Red Hat Linux

  1. Log in and open a root shell.
  2. Create a symbolic link from the 64-bit library to the /opt/quest/lib64/pkcs11 directory:
    ln -s <64-bit-library>.so \
    /opt/quest/lib64/pkcs11/<library-name>.so

    where 64-bit-library is the full path to the 64-bit PKCS#11 library, and library-name is the name by which you want to refer to the driver. This must be the same name you give the 32-bit library.

  3. Create a symbolic link from the 32-bit library to the /opt/quest/lib/pkcs11 directory:
    # ln -s <32-bit-library>.so
    /opt/quest/lib/pkcs11/<library-name>.so

    where 32-bit-library is the full path to the 64-bit PKCS#11 library, and library-name is the name by which you want to refer to the driver. This must be the same name you gave the 32-bit library.

  4. Open the file /etc/opt/quest/vas/vas.conf in the editor of your choice.
  5. Add the section:
    [pkcs11]
    pkcs11-lib = <library-name>.so

    where library-name is the name you gave to both the 32- and 64-bit libraries.

Note: The Authentication Services agent package only installs 64-bit versions of vastool so it will not be possible to test 32-bit versions of the PKCS#11 library using the vastool smartcard test commands.

Configuring the card slot for your PKCS#11 library

If you have multiple readers, or your card reader supports multiple slots, your vendor's PKCS#11 library may require you to specify the card slot with which you will be using to log in. If you do not specify a slot, Authentication Services for Smart Cards will probe for the first available slot. Typically, you will not need to configure this option. For more details on which slot number to configure consult your vendor's PKCS#11 documentation.

If the slot is not specified correctly then some smart card functions may return an error, for example:

vastool smartcard info card
ERROR: smart card is not present in slot

Configuring the card slot using VASTOOL

To configure the location of the PKCS#11 library using vastool

  1. Log in and open a root shell.
  2. Run the command:
    vastool smartcard configure pkcs11 slot \
    <slot-id>

    where slot-id is the card slot.

Note: You can remove the PKCS#11 slot from the configuration by running the vastool smartcard unconfigure pkcs11 slot command.

Configuring the vendor's PKCS#11 slot by editing the configuration file

You can manually configure the location of the vendor's PKCS#11 card slot by editing the setting in the /etc/opt/quest/vas.conf file.

To configure the location of the PKCS#11 card slot in vas.conf

  1. Log in and open a root shell.
  2. Open the /etc/opt/quest/vas.conf file in the editor of your choice.
  3. Locate the [pkcs11] section (or add one if not present), and add the following:
    pkcs11-slot = <slot-id>

    where slot-id is the number of the slot you want to use to log in.

Note: Remember that specifying a slot id is optional. Authentication Services for Smart Cards will probe for an available slot if a slot id is not specified.

Related Documents