This procedure tests the Safeguard Authentication Services for Smart Cards installation. It ensures that the library is installed correctly, the card has been initialized, there is a valid user certificate installed, and the card can be used to log into Active Directory.
To test the Safeguard Authentication Services for Smart Cards installation
vastool smartcard test all
If the card is configured correctly, it displays output similar to the following:
Config: ------- Checking that a PKCS#11 library is specified ... ok (Specifying PKCS#11 slot is optional) Library: -------- Testing PKCS#11 library '/usr/local/lib/libxltCk.so': Checking PKCS#11 library may be dynamically loaded ... ok Checking PKCS#11 library contains necessary symbols ... ok Checking PKCS#11 function list can be obtained ... ok Checking PKCS#11 library version is compatible ... ok Checking PKCS#11 library can be initialized ... ok Checking PKCS#11 library can be finalized ... ok Card: ----- Getting mechanisms ... ok Checking for required mechanisms ... ok Testing that card contains a user ... ok User: ----- Testing user j.doe@example.com Testing if PIN is required ... ok Enter PIN for j.doe@example.com: **** Performing login to card ... ok Generating signature ... ok Verifying signature ... ok Login: ----- Testing user j.doe@example.com Testing if PIN is required ... ok Enter PIN for j.doe@example.com: Performing login to card ... ok Creating ID for client with UPN 'j.doe@example.com' ... ok Establish initial credentials using PKCS#11 ... ok
The vastool smartcard test command provides a number of tests to determine whether you have correctly set up your environment and initialized your cards. While this step is optional, One Identity strongly recommends that you test your configuration before you enable Safeguard Authentication Services for Smart Cards for a specific login service.
Some of the available tests require that you insert a card.
Note: See the vastool man page for more details about the different options available for the vastool smartcard test subcommand.
To test that the PKCS#11 library is configured correctly
For example, to test the currently configured library, enter:
vastool smartcard test library
If it is configured correctly, it returns output similar to:
Testing PKCS#11 library '/usr/local/lib/libxltCk.so': Checking PKCS#11 library may be dynamically loaded ... ok Checking PKCS#11 library contains necessary symbols ... ok Checking PKCS#11 function list can be obtained ... ok Checking PKCS#11 library version is compatible ... ok Checking PKCS#11 library can be initialized ... ok Checking PKCS#11 library can be finalized ... ok
To test a library other than the currently configured one
For example:
# vastool smartcard test library \ /usr/local/lib/libxltCk.so
If the library could not be loaded, or does not export a PKCS#11 interface, then vastool smartcard test library displays an error message, similar to the following:
# vastool smartcard test library /usr/local/lib/libpkcs11broken.so Testing PKCS#11 library '/usr/local/lib/libpkcs11broken.so': Checking PKCS#11 library may be dynamically loaded ... ok Checking PKCS#11 library contains necessary symbols ... failed ERROR: PKCS#11 library does not contain symbol 'C_GetFunctionList'
To test that a smart card has been correctly initialized
# vastool smartcard test card Getting mechanisms ... ok Checking for required mechanisms ... ok Testing that card contains a user ... ok
This test displays a warning if the card is not recognized, or has not been correctly initialized.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center