Product SiteDocumentation Site

Chapter 5. Using Smart Cards with the Enterprise Security Client

5.1. Supported Smart Cards
5.2. Setting up Users to Be Enrolled
5.3. Enrolling a Smart Card Automatically
5.4. Managing Smart Cards
5.4.1. Formatting the Smart Card
5.4.2. Resetting a Smart Card Password
5.4.3. Viewing Certificates
5.4.4. Importing CA Certificates
5.4.5. Adding Exceptions for Servers
5.4.6. Enrolling Smart Cards
5.5. Diagnosing Problems
5.5.1. Errors
5.5.2. Events
When a smart card is enrolled, it means that user-specific keys and certificates are generated and placed on the card. In Red Hat Enterprise Linux, the interface that works between the user and the system which issues certificates is the Enterprise Security Client. The Enterprise Security Client recognizes when a smart card is inserted (or removed) and signals the appropriate subsystem in Red Hat Certificate System. That subsystem then generates the certificate materials and sends them to the Enterprise Security Client, which writes them to the token. That is the enrollment process.
The following sections contain basic instructions on using the Enterprise Security Client for token enrollment, formatting, and password reset operations.

5.1. Supported Smart Cards

The Enterprise Security Client supports smart cards which are JavaCard 2.1 or higher and Global Platform 2.01-compliant and was tested using the following cards:
  • Safenet 330J Java smart cards
  • Gemalto 64K V2 tokens, both as a smart card and GemPCKey USB form factor key
  • Gemalto GCx4 72K and TOPDLGX4 144K common access cards (CAC)
  • Oberthur ID One V5.2 common access cards (CAC)
  • Personal identity verification (PIV) cards, compliant with FIPS 201

NOTE

Enterprise Security Client does not provision PIV or CAC cards, but it will read them and display information.
Smart card testing was conducted using the SCM SCR331 CCID reader.
The only card manager applet supported with Enterprise Security Client is the CoolKey applet.