To troubleshoot problems with the card reader, first ensure that the reader is connected to the Unix workstation correctly, and that it is detected by the system.
To ensure that the reader is connected correctly
/sbin/lsusb
This displays output showing that the card reader is attached to one of the USB ports. For example:
Bus 003 Device 001: ID 0000:0000 Bus 002 Device 002: ID 04e6:511c SCM Microsystems, Inc. Bus 002 Device 001: ID 0000:0000 Bus 001 Device 001: ID 0000:0000
This shows a Reflex v3 USB reader connected to the workstation.
Note: Some readers require that you insert a card before the USB driver detects it.
Consult your vendors troubleshooting guide for more details on determining whether the reader is connected.
Safeguard Authentication Services for Smart Cards requires that you install a PKCS#11 driver to access cryptographic functions on the smart card.
To determine which PKCS#11 library is installed
# vastool smartcard info library Library: /usr/local/lib/libxltCk.so PKCS#11 version : 2.1 PKCS#11 manufacturer : Gemalto PKCS#11 library description: Gemalto PKCS #11 Module PKCS#11 library version : 5.2
To determine whether the driver is working correctly
For example:
# vastool smartcard test library Testing PKCS#11 library '/usr/local/lib/libxltCk.so': Checking PKCS#11 library may be dynamically loaded ... ok Checking PKCS#11 library contains necessary symbols ... ok Checking PKCS#11 function list can be obtained ... ok Checking PKCS#11 library version is compatible ... ok Checking PKCS#11 library can be initialized ... ok Checking PKCS#11 library can be finalized ... ok
To obtain information about the smart card you are attempting to use for log in
# vastool smartcard info card label : MS interop NS card manufacturerID: Gemalto model : Access eg 32K v2 serial number : 0001162CFF021982 flags : { CKF_RNG CKF_LOGIN_REQUIRED CKF_USER_PIN_INITIALIZED CKF_DUAL_CRYPTO_OPERATIONS} Number of mechanisms on card: 18 CKM_RSA_PKCS_KEY_PAIR_GEN CKM_RSA_PKCS CKM_RSA_X_509 CKM_MD2_RSA_PKCS CKM_MD5_RSA_PKCS CKM_SHA1_RSA_PKCS CKM_DES_KEY_GEN CKM_DES_ECB CKM_DES_CBC CKM_DES_CBC_PAD CKM_DES2_KEY_GEN CKM_DES3_KEY_GEN CKM_DES3_ECB CKM_DES3_CBC CKM_DES3_CBC_PAD CKM_MD2 CKM_MD5 CKM_SHA_1
This displays information about the type of card inserted and the supported cryptographic operations.
To determine whether a particular card can be used with Safeguard Authentication Services for Smart Cards
# vastool smartcard test card
Getting mechanisms ... ok Checking for required mechanisms ... ok Testing that card contains a user ... ok
To log in with a given smart card it must contain a certificate that contains the User Principal Name (UPN) of the user with which that the card can be used to log in.
To determine the user on a given card
# vastool smartcard info user UPN: sc-1-a@a.vas subject = /DC=vas/DC=a/CN=Users/CN=Smartcard 1. A issuer = /DC=vas/DC=a/CN=ca-root-a
This displays information from the user certificate on the card.
serialNumber = 5907991B000100000016 notBefore = Oct 3 04:53:34 2006 GMT notAfter = Oct 3 04:53:34 2007 GMT signatureAlgorithm = sha1WithRSAEncryption keyAlgorithm = rsaEncryption
To determine whether this user is suitable for logging on to Active Directory
# vastool smartcard test user Testing user sc-1-a@a.vas Testing certificate validity ... ok Testing if PIN is required ... ok Enter PIN for sc-1-a@a.vas: Performing login to card ... ok Generating signature ... ok Verifying signature ... ok
This retrieves the user information, tests whether the user on the card is user-enabled, and tests that the certificate can verify digital signatures generated by the card.
To simulate a full log on with Active Directory
# vastool smartcard test login Testing user sc-1-a@a.vas Testing certificate validity ... ok Testing if PIN is required ... ok Enter PIN for sc-1-a@a.vas: Performing login to card ... ok Creating ID for client with UPN 'sc-1-a@a.vas' ... ok Establish initial credentials using PKCS#11 ... ok Enabling debug for vastool commands
To enable additional debugging information
# vastool -d 4 smartcard test login
You can set the debug level from 1-6 for increasing levels of verbosity. Level 4 is generally sufficient for most smart card debugging.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. 使用条款 隐私 Cookie Preference Center