Chat now with support
Chat with Support

Safeguard Authentication Services 4.2 - Authentication Services for Smart Cards Administration Guide

One Identity Privileged Access Suite for Unix Introducing Authentication Services for Smart Cards Installing Authentication Services for Smart Cards Configuring Authentication Services for Smart Cards
Configuring the vendor’s PKCS#11 library Configuring the card slot for your PKCS#11 library Configuring PAM applications for smart card login Configuring certificates and CRLs Locking the screen saver upon card removal (macOS)
Testing Authentication Services for Smart Cards Troubleshooting

Testing the configuration

The vastool smartcard test command provides a number of tests to determine whether you have correctly set up your environment and initialized your cards. While this step is optional, One Identity strongly recommends that you test your configuration before you enable Authentication Services for Smart Cards for a specific login service.

Some of the available tests require that you insert a card.

Note: See the vastool man page for more details about the different options available for the vastool smartcard test subcommand.

Test the PKCS#11 library

To test that the PKCS#11 library is configured correctly

  1. Run the vastool smartcard test library command.

    For example, to test the currently configured library, enter:

    vastool smartcard test library

    If it is configured correctly, it returns output similar to:

    Testing PKCS#11 library '/usr/local/lib/libxltCk.so': 
    Checking PKCS#11 library may be dynamically loaded ... ok 
    Checking PKCS#11 library contains necessary symbols ... ok 
    Checking PKCS#11 function list can be obtained ... ok 
    Checking PKCS#11 library version is compatible ... ok 
    Checking PKCS#11 library can be initialized ... ok
    Checking PKCS#11 library can be finalized ... ok

To test a library other than the currently configured one

  1. Specify an argument to vastool smartcard test library.

    For example:

    # vastool smartcard test library \
    /usr/local/lib/libxltCk.so

    If the library could not be loaded, or does not export a PKCS#11 interface, then vastool smartcard test library displays an error message, similar to the following:

    # vastool smartcard test library
    /usr/local/lib/libpkcs11broken.so
    Testing PKCS#11 library '/usr/local/lib/libpkcs11broken.so':
    Checking PKCS#11 library may be dynamically loaded ... ok
    Checking PKCS#11 library contains necessary symbols ... failed
    ERROR: PKCS#11 library does not contain symbol 'C_GetFunctionList'

Test the smart card is initialized correctly

To test that a smart card has been correctly initialized

  1. Insert the smart card into the reader.
  2. Run vastool smartcard test card. For example:
    # vastool smartcard test card
    Getting mechanisms ... ok
    Checking for required mechanisms ... ok
    Testing that card contains a user ... ok

This test displays a warning if the card is not recognized, or has not been correctly initialized.

Test the smart card user

To test that a card has been initialized with an appropriate user

  1. Run the vastool smartcard test user command, as follows:
    # vastool smartcard test user
    Testing user user@vas.example
    Testing certificate validity ... ok
    Testing if PIN is required ... ok
    Enter PIN for user@vas.example: xxxxxxxx
    Performing login to card ... ok
    Generating signature ... ok
    Verifying signature ... ok

    This tests whether a valid user is on the card, and whether you are able to log into the card and use its cryptographic functions. If your card requires a PIN, enter the password at the prompt.

    The vastool smartcard test card function generates output similar to the following:

    CKM_RSA_X_509 CKM_MD2_RSA_PKCS CKM_MD5_RSA_PKCS CKM_SHA1_RSA_PKCS
    CKM_DES_KEY_GEN CKM_DES_ECB CKM_DES_CBC CKM_DES_CBC_PAD CKM_DES2_KEY_GEN
    CKM_DES3_KEY_GEN CKM_DES3_ECB CKM_DES3_CBC CKM_DES3_CBC_PAD CKM_MD2 CKM_MD5
    CKM_SHA_1
    Checking that CKM_RSA_PKCS mechanism is supported ... ok
    Checking info for CKM_RSA_PKCS mechanism ... ok
    Checking CKM_RSA_PKCS mechanism supports signing ... ok
    Checking CKM_RSA_PKCS mechanism supports decryption ... ok
    Testing that card contains a user ... ok
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating