Chat now with support
Chat with Support

Safeguard Authentication Services 5.1 - Authentication Services for Smart Cards Administration Guide

Privileged Access Suite for Unix Introducing Safeguard Authentication Services for Smart Cards Installing Safeguard Authentication Services for Smart Cards Configuring Safeguard Authentication Services for Smart Cards
Configuring the vendor’s PKCS#11 library Configuring the card slot for your PKCS#11 library Configuring PAM applications for smart card login Configuring certificates and CRLs Locking the screen saver upon card removal (macOS)
Testing Safeguard Authentication Services for Smart Cards Troubleshooting

Check the smart card reader

To troubleshoot problems with the card reader, first ensure that the reader is connected to the Unix workstation correctly, and that it is detected by the system.

To ensure that the reader is connected correctly

  1. Run the following command:
    /sbin/lsusb

    This displays output showing that the card reader is attached to one of the USB ports. For example:

    Bus 003 Device 001: ID 0000:0000
    Bus 002 Device 002: ID 04e6:511c SCM Microsystems, Inc.
    Bus 002 Device 001: ID 0000:0000
    Bus 001 Device 001: ID 0000:0000

    This shows a Reflex v3 USB reader connected to the workstation.

    Note: Some readers require that you insert a card before the USB driver detects it.

    Consult your vendors troubleshooting guide for more details on determining whether the reader is connected.

Check the PKCS#11 library

Safeguard Authentication Services for Smart Cards requires that you install a PKCS#11 driver to access cryptographic functions on the smart card.

To determine which PKCS#11 library is installed

  1. Run the vastool smartcard info library command, as follows:
    # vastool smartcard info library
    Library: /usr/local/lib/libxltCk.so
    PKCS#11 version : 2.1
    PKCS#11 manufacturer : Gemalto
    PKCS#11 library description: Gemalto PKCS #11 Module
    PKCS#11 library version : 5.2

To determine whether the driver is working correctly

  1. Run the vastool smartcard test library command.

    For example:

    # vastool smartcard test library
    Testing PKCS#11 library '/usr/local/lib/libxltCk.so':
    Checking PKCS#11 library may be dynamically loaded ... ok
    Checking PKCS#11 library contains necessary symbols ... ok
    Checking PKCS#11 function list can be obtained ... ok
    Checking PKCS#11 library version is compatible ... ok
    Checking PKCS#11 library can be initialized ... ok
    Checking PKCS#11 library can be finalized ... ok

Check the card

To obtain information about the smart card you are attempting to use for log in

  1. Run the vastool smartcard info card command, as follows:
    # vastool smartcard info card
    label : MS interop NS card
    manufacturerID: Gemalto
    model : Access eg 32K v2
    serial number : 0001162CFF021982
    flags : { CKF_RNG CKF_LOGIN_REQUIRED CKF_USER_PIN_INITIALIZED
    CKF_DUAL_CRYPTO_OPERATIONS}
    Number of mechanisms on card: 18
    CKM_RSA_PKCS_KEY_PAIR_GEN
    CKM_RSA_PKCS
    CKM_RSA_X_509
    CKM_MD2_RSA_PKCS
    CKM_MD5_RSA_PKCS
    CKM_SHA1_RSA_PKCS
    CKM_DES_KEY_GEN
    CKM_DES_ECB
    CKM_DES_CBC
    CKM_DES_CBC_PAD
    CKM_DES2_KEY_GEN
    CKM_DES3_KEY_GEN
    CKM_DES3_ECB
    CKM_DES3_CBC
    CKM_DES3_CBC_PAD
    CKM_MD2
    CKM_MD5
    CKM_SHA_1

    This displays information about the type of card inserted and the supported cryptographic operations.

To determine whether a particular card can be used with Safeguard Authentication Services for Smart Cards

  1. Run the vastool smartcard test card command, as follows:
    # vastool smartcard test card
    Getting mechanisms ... ok
    Checking for required mechanisms ... ok
    Testing that card contains a user ... ok

Check login

To log in with a given smart card it must contain a certificate that contains the User Principal Name (UPN) of the user with which that the card can be used to log in.

To determine the user on a given card

  1. Run the vastool smartcard info user command, as follows:
    # vastool smartcard info user
    UPN: sc-1-a@a.vas
    subject = /DC=vas/DC=a/CN=Users/CN=Smartcard 1. A
    issuer = /DC=vas/DC=a/CN=ca-root-a

    This displays information from the user certificate on the card.

    serialNumber = 5907991B000100000016
    notBefore = Oct 3 04:53:34 2006 GMT
    notAfter = Oct 3 04:53:34 2007 GMT
    signatureAlgorithm = sha1WithRSAEncryption
    keyAlgorithm = rsaEncryption

To determine whether this user is suitable for logging on to Active Directory

  1. Run the vastool smartcard test user command, as follows:
    # vastool smartcard test user
    Testing user sc-1-a@a.vas
    Testing certificate validity ... ok
    Testing if PIN is required ... ok
    Enter PIN for sc-1-a@a.vas:
    Performing login to card ... ok
    Generating signature ... ok
    Verifying signature ... ok

    This retrieves the user information, tests whether the user on the card is user-enabled, and tests that the certificate can verify digital signatures generated by the card.

To simulate a full log on with Active Directory

  1. Run the vastool smartcard test login command, as follows:
    # vastool smartcard test login
    Testing user sc-1-a@a.vas
    Testing certificate validity ... ok
    Testing if PIN is required ... ok
    Enter PIN for sc-1-a@a.vas:
    Performing login to card ... ok
    Creating ID for client with UPN 'sc-1-a@a.vas' ... ok
    Establish initial credentials using PKCS#11 ... ok
    Enabling debug for vastool commands

To enable additional debugging information

  1. Run vastool with the -d option, as follows:
    # vastool -d 4 smartcard test login

    You can set the debug level from 1-6 for increasing levels of verbosity. Level 4 is generally sufficient for most smart card debugging.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating