Chat now with support
Chat with Support

Safeguard Authentication Services 4.2 - Authentication Services for Smart Cards Administration Guide

One Identity Privileged Access Suite for Unix Introducing Authentication Services for Smart Cards Installing Authentication Services for Smart Cards Configuring Authentication Services for Smart Cards
Configuring the vendor’s PKCS#11 library Configuring the card slot for your PKCS#11 library Configuring PAM applications for smart card login Configuring certificates and CRLs Locking the screen saver upon card removal (macOS)
Testing Authentication Services for Smart Cards Troubleshooting

Configuring the card slot for your PKCS#11 library

If you have multiple readers, or your card reader supports multiple slots, your vendor's PKCS#11 library may require you to specify the card slot with which you will be using to log in. If you do not specify a slot, Authentication Services for Smart Cards will probe for the first available slot. Typically, you will not need to configure this option. For more details on which slot number to configure consult your vendor's PKCS#11 documentation.

If the slot is not specified correctly then some smart card functions may return an error, for example:

vastool smartcard info card
ERROR: smart card is not present in slot

Configuring the card slot using VASTOOL

To configure the location of the PKCS#11 library using vastool

  1. Log in and open a root shell.
  2. Run the command:
    vastool smartcard configure pkcs11 slot \
    <slot-id>

    where <slot-id> is the card slot.

Note: You can remove the PKCS#11 slot from the configuration by running the vastool smartcard unconfigure pkcs11 slot command.

Configuring the vendor's PKCS#11 slot by editing the configuration file

You can manually configure the location of the vendor's PKCS#11 card slot by editing the setting in the /etc/opt/quest/vas.conf file.

To configure the location of the PKCS#11 card slot in vas.conf

  1. Log in and open a root shell.
  2. Open the /etc/opt/quest/vas/vas.conf file in the editor of your choice.
  3. Locate the [pkcs11] section (or add one if not present), and add the following:
    pkcs11-slot = <slot-id>

    where <slot-id> is the number of the slot you want to use to log in.

Note: Remember that specifying a slot id is optional. Authentication Services for Smart Cards will probe for an available slot if a slot id is not specified.

Configuring PAM applications for smart card login

To integrate Authentication Services for Smart Cards with existing applications you need to configure PAM. This section describes in detail how to configure the pam_vas_smartcard module for different scenarios, and gives recommendations for which options works well with some common login applications. The following topics are discussed:

  • Security issues when configuring smart card login
  • Usability issues when configuring smart card login
  • Configuring PAM for smart card only login
  • Configuring PAM for smart card and password login
  • Configuring GDM
  • Configuring KDM
  • Configuring XDM
  • Configuring Console Login
  • Configuring Dtlogin

You can find background information on PAM and configuring Authentication Services PAM modules in the Authentication Services Administration Guide, which can be found on the Authentication Services - Technical Documentation page on the One Identity support site.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating