Chat now with support
Chat with Support

Safeguard Authentication Services 4.2 - Authentication Services for Smart Cards Administration Guide

One Identity Privileged Access Suite for Unix Introducing Authentication Services for Smart Cards Installing Authentication Services for Smart Cards Configuring Authentication Services for Smart Cards
Configuring the vendor’s PKCS#11 library Configuring the card slot for your PKCS#11 library Configuring PAM applications for smart card login Configuring certificates and CRLs Locking the screen saver upon card removal (macOS)
Testing Authentication Services for Smart Cards Troubleshooting

Disable bootstrap and manage certificates and CRLs manually

You can disable certificate bootstrapping and CRL downloading and distribute these items to Authentication Services clients by other means, such as Group Policy.

To disable bootstrap and manage certificates and CRLs manually

  1. Set the auto-crl-download, auto-crl-removal and bootstrap-trusted-certs options to false in the [pkinit] section of the /etc/opt/quest/vas/vas.conf files, as follows:
    [pkinit]
    auto-crl-download = false
    auto-crl-removal = false
    bootstrap-trusted-certs = false
  2. Place the trusted certificates in the /var/opt/quest/vas/certs directory.
  3. Place CRLs in the /var/opt/quest/vas/crls directory.

Locking the screen saver upon card removal (macOS)

The ability to lock the screen saver when a token is removed is a feature and function of the macOS screen saver.

To enforce this setting using Mac OS X Group Policy

  1. Navigate to User Configuration | Mac OS X Settings | Preference Manifests | Screen Saver Security from the Windows administrative machine that has the Authentication Services components installed.

  2. Set the following settings to ensure that the screen saver becomes locked and stays locked once the smart card is removed:

    • Screensaver Require Password Delay: 0
    • Require Password For Screensaver Unlock: 1

Testing Authentication Services for Smart Cards

After you install and configure Authentication Services for Smart Cards to work with your vendor's PKCS#11 library drivers, you will want to validate your installation.

Testing general configuration and login using smart card

This procedure tests the Authentication Services for Smart Cards installation. It ensures that the library is installed correctly, the card has been initialized, there is a valid user certificate installed, and the card can be used to log into Active Directory.

To test the Authentication Services for Smart Cards installation

  1. Attach a supported reader.
  2. Insert the initialized card.
  3. Run the following command.
    vastool smartcard test all

    If the card is configured correctly, it displays output similar to the following:

    Config:
    -------
    Checking that a PKCS#11 library is specified ... ok
    (Specifying PKCS#11 slot is optional)
    Library:
    --------
    Testing PKCS#11 library '/usr/local/lib/libxltCk.so':
    Checking PKCS#11 library may be dynamically loaded ... ok
    Checking PKCS#11 library contains necessary symbols ... ok
    Checking PKCS#11 function list can be obtained ... ok
    Checking PKCS#11 library version is compatible ... ok
    Checking PKCS#11 library can be initialized ... ok
    Checking PKCS#11 library can be finalized ... ok
    Card:
    -----
    Getting mechanisms ... ok
    Checking for required mechanisms ... ok
    Testing that card contains a user ... ok
    User:
    -----
    Testing user j.doe@example.com
    Testing if PIN is required ... ok
    Enter PIN for j.doe@example.com: ****
    Performing login to card ... ok
    Generating signature ... ok
    Verifying signature ... ok
    Login:
    -----
    Testing user j.doe@example.com
    Testing if PIN is required ... ok
    Enter PIN for j.doe@example.com:
    Performing login to card ... ok
    Creating ID for client with UPN 'j.doe@example.com' ... ok
    Establish initial credentials using PKCS#11 ... ok
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating