Authentication Services for Smart Cards requires that you install a PKCS#11 driver to access cryptographic functions on the smart card.
To determine which PKCS#11 library is installed
# vastool smartcard info library Library: /usr/local/lib/libxltCk.so PKCS#11 version : 2.1 PKCS#11 manufacturer : Gemalto PKCS#11 library description: Gemalto PKCS #11 Module PKCS#11 library version : 5.2
To determine whether the driver is working correctly
For example:
# vastool smartcard test library Testing PKCS#11 library '/usr/local/lib/libxltCk.so': Checking PKCS#11 library may be dynamically loaded ... ok Checking PKCS#11 library contains necessary symbols ... ok Checking PKCS#11 function list can be obtained ... ok Checking PKCS#11 library version is compatible ... ok Checking PKCS#11 library can be initialized ... ok Checking PKCS#11 library can be finalized ... ok
To obtain information about the smart card you are attempting to use for log in
# vastool smartcard info card label : MS interop NS card manufacturerID: Gemalto model : Access eg 32K v2 serial number : 0001162CFF021982 flags : { CKF_RNG CKF_LOGIN_REQUIRED CKF_USER_PIN_INITIALIZED CKF_DUAL_CRYPTO_OPERATIONS} Number of mechanisms on card: 18 CKM_RSA_PKCS_KEY_PAIR_GEN CKM_RSA_PKCS CKM_RSA_X_509 CKM_MD2_RSA_PKCS CKM_MD5_RSA_PKCS CKM_SHA1_RSA_PKCS CKM_DES_KEY_GEN CKM_DES_ECB CKM_DES_CBC CKM_DES_CBC_PAD CKM_DES2_KEY_GEN CKM_DES3_KEY_GEN CKM_DES3_ECB CKM_DES3_CBC CKM_DES3_CBC_PAD CKM_MD2 CKM_MD5 CKM_SHA_1
This displays information about the type of card inserted and the supported cryptographic operations.
To determine whether a particular card can be used with Authentication Services for Smart Cards
# vastool smartcard test card
Getting mechanisms ... ok Checking for required mechanisms ... ok Testing that card contains a user ... ok
To log in with a given smart card it must contain a certificate that contains the User Principal Name (UPN) of the user with which that the card can be used to log in.
To determine the user on a given card
# vastool smartcard info user UPN: sc-1-a@a.vas subject = /DC=vas/DC=a/CN=Users/CN=Smartcard 1. A issuer = /DC=vas/DC=a/CN=ca-root-a
This displays information from the user certificate on the card.
serialNumber = 5907991B000100000016 notBefore = Oct 3 04:53:34 2006 GMT notAfter = Oct 3 04:53:34 2007 GMT signatureAlgorithm = sha1WithRSAEncryption keyAlgorithm = rsaEncryption
To determine whether this user is suitable for logging on to Active Directory
# vastool smartcard test user Testing user sc-1-a@a.vas Testing certificate validity ... ok Testing if PIN is required ... ok Enter PIN for sc-1-a@a.vas: Performing login to card ... ok Generating signature ... ok Verifying signature ... ok
This retrieves the user information, tests whether the user on the card is user-enabled, and tests that the certificate can verify digital signatures generated by the card.
To simulate a full log on with Active Directory
# vastool smartcard test login Testing user sc-1-a@a.vas Testing certificate validity ... ok Testing if PIN is required ... ok Enter PIN for sc-1-a@a.vas: Performing login to card ... ok Creating ID for client with UPN 'sc-1-a@a.vas' ... ok Establish initial credentials using PKCS#11 ... ok Enabling debug for vastool commands
To enable additional debugging information
# vastool -d 4 smartcard test login
You can set the debug level from 1-6 for increasing levels of verbosity. Level 4 is generally sufficient for most smart card debugging.
The pam_vas_smartcard module supports an additional debug option that enables syslog to capture debugging information. This option is the same as the debug option supported by the pam_vas3 module. See Enabling diagnostic logging in the Authentication Services Administration Guide for more information on how to configure syslog for this option.
© 2022 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy