Chat now with support
Chat with Support

Quest has tools and processes in place to identify, protect, detect, and remediate vulnerabilities and incidents when they occur, including external security partners. As part of our standard security operations, Quest does not use CrowdStrike in any of our operations. We are reviewing our third parties, and so far, there is minimal affect. It is Quest's policy not to provide further technical details unless they directly impact customer data.

Safeguard Authentication Services 6.0 LTS - Authentication Services for Smart Cards Administration Guide

Privileged Access Suite for UNIX Introducing Safeguard Authentication Services for Smart Cards Installing Safeguard Authentication Services for Smart Cards Configuring Safeguard Authentication Services for Smart Cards
Configuring the vendor’s PKCS#11 library Configuring the card slot for your PKCS#11 library Configuring PAM applications for smart card login Configuring certificates and CRLs Locking the screen saver upon card removal (macOS)
Testing Safeguard Authentication Services for Smart Cards Troubleshooting

Checking the smart card reader

To troubleshoot problems with the card reader, first ensure that the reader is connected to the UNIX workstation correctly, and that it is detected by the system.

To ensure that the reader is connected correctly, run the following command:

/sbin/lsusb

This displays output showing that the card reader is attached to one of the USB ports. For example:

Bus 003 Device 001: ID 0000:0000
Bus 002 Device 002: ID 04e6:511c SCM Microsystems, Inc.
Bus 002 Device 001: ID 0000:0000
Bus 001 Device 001: ID 0000:0000

This shows a Reflex v3 USB reader connected to the workstation.

NOTE: Some readers require that you insert a card before the USB driver detects it.

Consult your vendors troubleshooting guide for more details on determining whether the reader is connected.

Checking the PKCS#11 library

Safeguard Authentication Services for Smart Cards requires that you install a PKCS#11 driver to access cryptographic functions on the smart card.

To determine which PKCS#11 library is installed, run the vastool smartcard info library command, as follows:

# vastool smartcard info library
Library: /usr/local/lib/libxltCk.so
PKCS#11 version : 2.1
PKCS#11 manufacturer : Gemalto
PKCS#11 library description: Gemalto PKCS #11 Module
PKCS#11 library version : 5.2

To determine whether the driver is working correctly, run the vastool smartcard test library command. For example:

# vastool smartcard test library
Testing PKCS#11 library '/usr/local/lib/libxltCk.so':
Checking PKCS#11 library may be dynamically loaded ... ok
Checking PKCS#11 library contains necessary symbols ... ok
Checking PKCS#11 function list can be obtained ... ok
Checking PKCS#11 library version is compatible ... ok
Checking PKCS#11 library can be initialized ... ok
Checking PKCS#11 library can be finalized ... ok

Checking the card

To obtain information about the smart card you are attempting to use for log in, run the vastool smartcard info card command, as follows:

# vastool smartcard info card
label : MS interop NS card
manufacturerID: Gemalto
model : Access eg 32K v2
serial number : 0001162CFF021982
flags : { CKF_RNG CKF_LOGIN_REQUIRED CKF_USER_PIN_INITIALIZED
CKF_DUAL_CRYPTO_OPERATIONS}
Number of mechanisms on card: 18
CKM_RSA_PKCS_KEY_PAIR_GEN
CKM_RSA_PKCS
CKM_RSA_X_509
CKM_MD2_RSA_PKCS
CKM_MD5_RSA_PKCS
CKM_SHA1_RSA_PKCS
CKM_DES_KEY_GEN
CKM_DES_ECB
CKM_DES_CBC
CKM_DES_CBC_PAD
CKM_DES2_KEY_GEN
CKM_DES3_KEY_GEN
CKM_DES3_ECB
CKM_DES3_CBC
CKM_DES3_CBC_PAD
CKM_MD2
CKM_MD5
CKM_SHA_1

This displays information about the type of card inserted and the supported cryptographic operations.

To determine whether a particular card can be used with Safeguard Authentication Services for Smart Cards, run the vastool smartcard test card command, as follows:

# vastool smartcard test card
Getting mechanisms ... ok
Checking for required mechanisms ... ok
Testing that card contains a user ... ok

Checking login

To log in with a given smart card it must contain a certificate that contains the User Principal Name (UPN) of the user with which the card can be used to log in.

To determine the user on a given card, run the vastool smartcard info user command, as follows:

# vastool smartcard info user
UPN: sc-1-a@a.vas
subject = /DC=vas/DC=a/CN=Users/CN=Smartcard 1. A
issuer = /DC=vas/DC=a/CN=ca-root-a

This displays information from the user certificate on the card.

serialNumber = 5907991B000100000016
notBefore = Oct 3 04:53:34 2006 GMT
notAfter = Oct 3 04:53:34 2007 GMT
signatureAlgorithm = sha1WithRSAEncryption
keyAlgorithm = rsaEncryption

To determine whether this user is suitable for logging on to Active Directory, run the vastool smartcard test user command, as follows:

# vastool smartcard test user
Testing user sc-1-a@a.vas
Testing certificate validity ... ok
Testing if PIN is required ... ok
Enter PIN for sc-1-a@a.vas:
Performing login to card ... ok
Generating signature ... ok
Verifying signature ... ok

This retrieves the user information, tests whether the user on the card is user-enabled, and tests that the certificate can verify digital signatures generated by the card.

To simulate a full log on with Active Directory, run the vastool smartcard test login command, as follows:

# vastool smartcard test login
Testing user sc-1-a@a.vas
Testing certificate validity ... ok
Testing if PIN is required ... ok
Enter PIN for sc-1-a@a.vas:
Performing login to card ... ok
Creating ID for client with UPN 'sc-1-a@a.vas' ... ok
Establish initial credentials using PKCS#11 ... ok
Enabling debug for vastool commands

To enable additional debugging information, run vastool with the -d option, as follows:

# vastool -d 4 smartcard test login

You can set the debug level from 1-6 for increasing levels of verbosity. Level 4 is generally sufficient for most smart card debugging.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating