Chat now with support
Chat with Support

We are currently experiencing issues on our phone support and are working diligently to restore services. For support, please sign in and create a case or email supportadmin@quest.com for assistance

Safeguard Authentication Services 6.0 LTS - Authentication Services for Smart Cards Administration Guide

Privileged Access Suite for UNIX Introducing Safeguard Authentication Services for Smart Cards Installing Safeguard Authentication Services for Smart Cards Configuring Safeguard Authentication Services for Smart Cards
Configuring the vendor’s PKCS#11 library Configuring the card slot for your PKCS#11 library Configuring PAM applications for smart card login Configuring certificates and CRLs Locking the screen saver upon card removal (macOS)
Testing Safeguard Authentication Services for Smart Cards Troubleshooting

Force an update of certificates

You can manually update the trusted certificates outside the configured period. For example, to retrieve a recently added trusted certificate, use the -f option with the vastool smartcard trusted-certs command, as follows:

vastool smartcard trusted-certs update -f

This command removes the existing certificates from the NtAuth subdirectory and retrieves all the current trusted certificates from Active Directory.

Disable bootstrap and manage certificates and CRLs manually

You can disable certificate bootstrapping and CRL downloading and distribute these items to Safeguard Authentication Services clients by other means, such as Group Policy.

To disable bootstrap and manage certificates and CRLs manually

  1. Set the auto-crl-download, auto-crl-removal and bootstrap-trusted-certs options to false in the [pkinit] section of the /etc/opt/quest/vas/vas.conf files, as follows:

    [pkinit]
    auto-crl-download = false
    auto-crl-removal = false
    bootstrap-trusted-certs = false
  2. Place the trusted certificates in the /var/opt/quest/vas/certs directory.

  3. Place CRLs in the /var/opt/quest/vas/crls directory.

Locking the screen saver upon card removal (macOS)

The ability to lock the screen saver when a token is removed is a feature and function of the macOS screen saver.

To enforce this setting using Mac OS X Group Policy

  1. On the Windows administrative machine that has the Safeguard Authentication Services components installed, navigate to User Configuration > Mac OS X Settings > Preference Manifests > Screen Saver Security.

  2. Set the following settings to ensure that the screen saver becomes locked and stays locked once the smart card is removed:

    • Screensaver Require Password Delay: 0

    • Require Password For Screensaver Unlock: 1

Testing Safeguard Authentication Services for Smart Cards

After you install and configure Safeguard Authentication Services for Smart Cards to work with your vendor's PKCS#11 library drivers, you will want to validate your installation.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating